On Wed, Apr 29, 2020 at 02:47:33PM +0200, Miklos Szeredi wrote: > While it's not possible to escape the proc filesystem through > lo->proc_self_fd, it is possible to escape to the root of the proc > filesystem itself through "../..". > > Use a temporary mount for opening lo->proc_self_fd, that has it's root at > /proc/self/fd/, preventing access to the ancestor directories. > > Signed-off-by: Miklos Szeredi <mszer...@redhat.com> > --- > tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++-- > 1 file changed, 25 insertions(+), 2 deletions(-)
Good idea! It's important to note that the proc file system is already mounted within a new pid namespace. Therefore the only process visible is our own process and we don't need to worry about /proc/$PID. However, there are a bunch of other files in /proc. Some of them are protected by capability checks like /proc/kcore and virtiofsd is unable to access them, but it's hard to guarantee that they are all off limits. Better safe than sorry! Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
signature.asc
Description: PGP signature
