On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote: > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a > whitelisted set of capabilities that we require. This improves security in > case virtiofsd is compromised by making it hard for an attacker to gain > further > access to the system.
Hi Stefan, Good to see this patch. We needed to limit capabilities to reduce attack surface. What tests have you run to make sure this current set of whitelisted capabilities is good enough. Vivek > > Stefan Hajnoczi (2): > virtiofsd: only retain file system capabilities > virtiofsd: drop all capabilities in the wait parent process > > tools/virtiofsd/passthrough_ll.c | 51 ++++++++++++++++++++++++++++++++ > 1 file changed, 51 insertions(+) > > -- > 2.25.1 >
