[libvirt] [PATCH 00/14] Avoid unsafe usage of /proc/$PID/root in LXC driver

Daniel P. Berrange berrange at redhat.com
Fri Feb 7 15:32:58 UTC 2014


This is a followup to Eric's original proposal

  https://www.redhat.com/archives/libvir-list/2013-December/msg01242.html

The first 5 patches fix non-security bugs in the LXC hotplug
code. Then there's a couple of helper patches. Finally the
last 6 fix the actual security issue previously publically
reported.

Eric originally had a huge cleanup of virFork, but I'd
prefer that be done afterwards, to minimize the backporting
pain for stable branches.

Daniel P. Berrange (13):
  Don't block use of USB with containers
  Fix path used for USB device attach with LXC
  Record hotplugged USB device in LXC live guest config
  Fix reset of cgroup when detaching USB device from LXC guests
  Disks are always block devices, never character devices
  Move check for cgroup devices ACL upfront in LXC hotplug
  Add virFileMakeParentPath helper function
  Add helper for running code in separate namespaces
  Avoid unsafe use of /proc/$PID/root in LXC disk hotplug
  Avoid unsafe use of /proc/$PID/root in LXC USB hotplug
  Avoid unsafe use of /proc/$PID/root in LXC block hostdev hotplug
  Avoid unsafe use of /proc/$PID/root in LXC chardev hostdev hotplug
  Avoid unsafe use of /proc/$PID/root in LXC hotunplug code

Eric Blake (1):
  Avoid unsafe use of /proc/$PID/root in LXC shutdown/reboot code

 src/conf/domain_conf.c   |   1 +
 src/libvirt_private.syms |   2 +
 src/lxc/lxc_driver.c     | 552 +++++++++++++++++++++++------------------------
 src/util/virfile.c       |  27 +++
 src/util/virfile.h       |   1 +
 src/util/virinitctl.c    |  26 +--
 src/util/virinitctl.h    |   5 +-
 src/util/virprocess.c    | 114 ++++++++++
 src/util/virprocess.h    |  11 +
 9 files changed, 442 insertions(+), 297 deletions(-)

-- 
1.8.5.3




More information about the libvir-list mailing list