On Wed, Jun 17, 2020, at 8:50 AM, Stefan Hajnoczi wrote:

> Something along these lines should work. Hopefully seccomp can be
> retained. It would also be necessary to check how not having the shared
> directory as / in the mount namespace affects functionality. For one,
> I'm pretty sure symlink escapes and similar path traversals outside the
> shared directory will be possible since virtiofsd normally relies on /
> as protection.

Yes, though two points:

- As I said, I don't care about that for my use case; the operating system 
we're testing is going to e.g. run on bare metal hosting workloads itself, so 
if it's malicious we have already lost (reliability against *accidental* damage 
is always nice though, like a stray rm -rf in some test script walking into the 
host)
- Probably the best long term fix would be to use 
https://lwn.net/Articles/796868/ anyways

Reply via email to