[Libguestfs] [PATCH] daemon: always provide stdin when running chroot commands (RHBZ#1280029)

Richard W.M. Jones rjones at redhat.com
Tue Dec 1 17:50:06 UTC 2015 

On Tue, Dec 01, 2015 at 06:29:01PM +0100, Mateusz Guzik wrote:
> CHROOT_OUT is mere chroot ("."), which suggests that that cwd for
> virt-builder is "/". This means anything using aforementioned construct
> has to use absolute paths, otherwise it looks names up against the real
> "/". For current code it would make sense to somewhow check if all
> passed paths are absolute (if not by code inspection, one can try to
> cook up a systemtap script to verify such behaviour in-between chroots).
> 
> As for a solution, forking off a process which chroots is definitely on
> the right track. However, I would argue what's really needed here is the
> following: at the start, a container is created, the child gets in. Execs,
> file system operations, just about everything has to be a request sent
> to the child over e.g. a unix socket, but pipes could work too.

I think you're hinting at a security issue, but I don't think there is
one in virt-builder, since firstly we trust the templates and the
command line (hence there is no "attacker" in the virt-builder
scenario), and secondly everything runs inside a virtual machine, so
this putative virt-builder attacker can only take over the appliance,
and would be stopped by the protections we place around the appliance
(sVirt and so on).

However it certainly is worth hardening the way we run commands.  A
container approach has another advantage too: that any processes
started up by (eg) dnf/yum are "captured" in the container and can be
conveniently killed off when the command exits.  This is in fact an
existing source of bugs (https://bugzilla.redhat.com/1195881).

> Filesystems in the container would not be fully populated (see: /dev/mem
> & friends), but only have 'container-friendly' files.
> 
> That's definitely a lot of work and I'm not up to the task.

Right - patches welcome!

> Regardless, commandvf vs chroot usage can be improved without said
> significant work.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

More information about the Libguestfs mailing list