[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o
From: |
Vivek Goyal |
Subject: |
Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option |
Date: |
Wed, 22 Jul 2020 14:17:10 -0400 |
On Wed, Jul 22, 2020 at 02:02:05PM +0100, Stefan Hajnoczi wrote:
> virtiofsd cannot run in an unprivileged container because CAP_SYS_ADMIN
> is required to create namespaces.
>
> Introduce a weaker sandbox that is sufficient in container environments
> because the container runtime already sets up namespaces. Use chroot to
> restrict path traversal to the shared directory.
>
> virtiofsd loses the following:
>
> 1. Mount namespace. The process chroots to the shared directory but
> leaves the mounts in place. Seccomp rejects mount(2)/umount(2)
> syscalls.
>
> 2. Pid namespace. This should be fine because virtiofsd is the only
> process running in the container.
>
> 3. Network namespace. This should be fine because seccomp already
> rejects the connect(2) syscall, but an additional layer of security
> is lost. Container runtime-specific network security policies can be
> used drop network traffic (except for the vhost-user UNIX domain
> socket).
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> tools/virtiofsd/helper.c | 3 +++
> tools/virtiofsd/passthrough_ll.c | 44 ++++++++++++++++++++++++++++++--
> 2 files changed, 45 insertions(+), 2 deletions(-)
>
> diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
> index 3105b6c23a..7421c9ca1a 100644
> --- a/tools/virtiofsd/helper.c
> +++ b/tools/virtiofsd/helper.c
> @@ -151,6 +151,9 @@ void fuse_cmdline_help(void)
> " -o cache=<mode> cache mode. could be one of
> \"auto, "
> "always, none\"\n"
> " default: auto\n"
> + " -o chroot|no_chroot use container-friendly chroot
> instead\n"
> + " of stronger mount namespace
> sandbox\n"
> + " default: false\n"
This option name disabling namespace setup is little confusing to me.
Will it make sense to provide another option to disable/enable
namespaces. "-o no-namespaces" and that disables setting up
namespaces.
Thanks
Vivek
> " -o flock|no_flock enable/disable flock\n"
> " default: no_flock\n"
> " -o log_level=<level> log level, default to \"info\"\n"
> diff --git a/tools/virtiofsd/passthrough_ll.c
> b/tools/virtiofsd/passthrough_ll.c
> index 50a164a599..990c0a8a70 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -139,6 +139,7 @@ enum {
>
> struct lo_data {
> pthread_mutex_t mutex;
> + int chroot; /* 1 - use chroot, 0 - use mount namespace */
> int debug;
> int writeback;
> int flock;
> @@ -162,6 +163,8 @@ struct lo_data {
> };
>
> static const struct fuse_opt lo_opts[] = {
> + { "chroot", offsetof(struct lo_data, chroot), 1 },
> + { "no_chroot", offsetof(struct lo_data, chroot), 0 },
> { "writeback", offsetof(struct lo_data, writeback), 1 },
> { "no_writeback", offsetof(struct lo_data, writeback), 0 },
> { "source=%s", offsetof(struct lo_data, source), 0 },
> @@ -2665,6 +2668,37 @@ static void setup_capabilities(char *modcaps_in)
> pthread_mutex_unlock(&cap.mutex);
> }
>
> +/*
> + * Use chroot as a weaker sandbox for environment where the process is
> launched
> + * without CAP_SYS_ADMIN.
> + */
> +static void setup_chroot(struct lo_data *lo)
> +{
> + lo->proc_self_fd = open("/proc/self/fd", O_PATH);
> + if (lo->proc_self_fd == -1) {
> + fuse_log(FUSE_LOG_ERR, "open(\"/proc/self/fd\", O_PATH): %m\n");
> + exit(1);
> + }
> +
> + /*
> + * Make the shared directory the file system root so that FUSE_OPEN
> + * (lo_open()) cannot escape the shared directory by opening a symlink.
> + *
> + * It's still possible to escape the chroot via lo->proc_self_fd but that
> + * requires gaining control of the process first.
> + */
> + if (chroot(lo->source) != 0) {
> + fuse_log(FUSE_LOG_ERR, "chroot(\"%s\"): %m\n", lo->source);
> + exit(1);
> + }
> +
> + /* Move into the chroot */
> + if (chdir("/") != 0) {
> + fuse_log(FUSE_LOG_ERR, "chdir(\"/\"): %m\n");
> + exit(1);
> + }
> +}
> +
> /*
> * Lock down this process to prevent access to other processes or files
> outside
> * source directory. This reduces the impact of arbitrary code execution
> bugs.
> @@ -2672,8 +2706,13 @@ static void setup_capabilities(char *modcaps_in)
> static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
> bool enable_syslog)
> {
> - setup_namespaces(lo, se);
> - setup_mounts(lo->source);
> + if (lo->chroot) {
> + setup_chroot(lo);
> + } else {
> + setup_namespaces(lo, se);
> + setup_mounts(lo->source);
> + }
> +
> setup_seccomp(enable_syslog);
> setup_capabilities(g_strdup(lo->modcaps));
> }
> @@ -2820,6 +2859,7 @@ int main(int argc, char *argv[])
> struct fuse_session *se;
> struct fuse_cmdline_opts opts;
> struct lo_data lo = {
> + .chroot = 0,
> .debug = 0,
> .writeback = 0,
> .posix_lock = 1,
> --
> 2.26.2
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs@redhat.com
> https://www.redhat.com/mailman/listinfo/virtio-fs
[PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/22