On Tue, Jan 26, 2021 at 11:18 AM Stefan Hajnoczi <stefa...@redhat.com> wrote: > > On Mon, Jan 25, 2021 at 05:12:23PM +0100, Miklos Szeredi wrote: > > On Thu, Jan 21, 2021 at 3:44 PM Stefan Hajnoczi <stefa...@redhat.com> wrote: > > > > > This patch adds the missing checks to virtiofsd. This is a short-term > > > solution because it does not prevent a compromised virtiofsd process > > > from opening device nodes on the host. > > > > I think the proper solution is adding support to the host in order to > > restrict opens on filesystems that virtiofsd has access to. > > > > My idea was to add a "force_nodev" mount option that cannot be > > disabled and will make propagated mounts also be marked > > "force_nodev,nodev". > > Interesting idea! Mount options that are relevant: > * noexec > * nosuid > * nodev > * nosymfollow > > Do you have time to work on the force_* mount options?
Not at the moment, but first we need to probe Al to see if this idea sticks... > > A possibly simpler solution is to extend seccomp to restrict the > > process itself from being able to open special files. Not sure if > > that's within the scope of seccomp though. > > I don't think seccomp can provide that restriction since it's unrelated > to the syscall or its arguments. How about selinux, then? Thanks, Miklos
