On Fri, Jun 19, 2020 at 04:16:30PM +0200, Miklos Szeredi wrote: > On Thu, Jun 18, 2020 at 9:08 PM Vivek Goyal <vgo...@redhat.com> wrote: > > > > On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote: > > > virtiofsd doesn't need of all Linux capabilities(7) available to root. > > > Keep a > > > whitelisted set of capabilities that we require. This improves security > > > in > > > case virtiofsd is compromised by making it hard for an attacker to gain > > > further > > > access to the system. > > > > Hi Stefan, > > > > I just noticed that this patch set breaks overlayfs on top of virtiofs. > > How so? Virtiofs isn't mounting overlayfs, is it? Only the mounter > requires CAP_SYS_ADMIN, not the accessor.
virtiofsd needs CAP_SYS_ADMIN, otherwise fsetxattr(trusted.overlay.opaque) fails in lo_setxattr(). This is triggered when we mount overlayfs on top of virtiofs and overlayfs tries to set OVL_XATTR_OPAQUE on upper to check if trusted xattrs are supported or not. Thanks Vivek
