[libvirt] [PATCHv2 0/7] lxc: honor mount namespaces

Tue Dec 24 05:55:44 UTC 2013

We are still awaiting a CVE number to be assigned, but Reco
reported in Debian bug #732394 that a malicious guest could
cause virDomainShutdown and virDomainReboot to cause the
host to misbehave, if the host blindly follows symlinks in
its own mount namespace instead of the guest's namespace.

I have not yet tried to patch the bugs in virDomainDeviceAttach
dereferencing /dev from the wrong namespace, which also suffers
from the same vulnerability, but virProcessRunInMountNamespace
should also be usable in that situation.

While working on this series, I found several issues with
virFork and virt-login-shell; since those are also related
to correct namespace usage, I've bundled everything into
one series; but the CVE is not fixed until patch 7/7 plus
the future patch to /dev.  I've done some pretty decent
testing on the new virt-login-shell, but did not get as
much testing on virDomainReboot.  Since this series does
address a CVE, and also regressions caused by our previous
CVE fix in the same area of code (CVE-2013-4400 is
unfortunately a poor example of shipping "fixes" without
testing that the code still worked), I'd definitely
appreciate a close review.

Patch 6/7 is interesting: it uses virFork to use the mount
namespace without impacting the parent process.  However,
since setns() is thread-safe, I wonder if it would be
simpler to instead use pthread_create to do the callback
within the same process instead of having to create a
separate process, as that would make for easier coordination
for passing the results back to the remaining threads that
have not changed namespace.  Thankfully, I think we came
up with a good abstraction - I'm fairly confident that
6/7 could be rewritten to use pthread_create without
changing the function signatures, in which case patch
7/7 would not need any changes to pick up the changed
backend.

Eric Blake (7):
  virt-login-shell: fix regressions in behavior
  virFork: simplify semantics
  virt-login-shell: use single instead of double fork
  virt-login-shell: saner exit value
  virsh: report exit status of failed lxc-enter-namespace
  lxc: add virProcessRunInMountNamespace
  lxc: security fix for virInitctlSetRunLevel

 src/internal.h             |   7 +++
 src/libvirt.c              |   2 +-
 src/libvirt_private.syms   |   1 +
 src/lxc/lxc_driver.c       |  38 ++++++------
 src/util/vircommand.c      | 128 +++++++++++++++-----------------------
 src/util/vircommand.h      |   2 +-
 src/util/virfile.c         |  25 ++------
 src/util/virinitctl.c      |  28 ++++-----
 src/util/virinitctl.h      |   5 +-
 src/util/virprocess.c      |  81 ++++++++++++++++++++++--
 src/util/virprocess.h      |  11 ++++
 tools/virsh-domain.c       |  34 ++++++----
 tools/virsh.pod            |   3 +-
 tools/virt-login-shell.c   | 151 ++++++++++++++++++++-------------------------
 tools/virt-login-shell.pod |  23 ++++++-
 15 files changed, 299 insertions(+), 240 deletions(-)

-- 
1.8.4.2