[libvirt] [PATCH 12/14] Avoid unsafe use of /proc/$PID/root in LXC block hostdev hotplug

Eric Blake eblake at redhat.com
Fri Feb 7 19:47:52 UTC 2014


On 02/07/2014 08:33 AM, Daniel P. Berrange wrote:
> Rewrite lxcDomainAttachDeviceHostdevStorageLive function
> to use the virProcessRunInMountNamespace helper. This avoids
> risk of a malicious guest replacing /dev with a absolute
> symlink, tricking the driver into changing the host OS
> filesystem.
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  src/lxc/lxc_driver.c | 64 ++++++++++++++--------------------------------------
>  1 file changed, 17 insertions(+), 47 deletions(-)
> 

> +    if (virCgroupAllowDevicePath(priv->cgroup,
> +                                 def->source.caps.u.storage.block,
> +                                 VIR_CGROUP_DEVICE_RWM) != 0) {
>          virReportError(VIR_ERR_INTERNAL_ERROR,
>                         _("cannot allow device %s for domain %s"),
>                         def->source.caps.u.storage.block, vm->def->name);

Here, I think we're okay setting up cgroup by name - because it is the
host-visible name, not the guest-visible name, and cgroup just stat()s
the host name to use the major:minor anyways.  But since we already have
sb.st_rdev, why not avoid a second stat() and just tell cgroup to change
by major:minor in the first place?

>          goto cleanup;
>      }
>  
> +    if (lxcDomainAttachDeviceMknod(driver,
> +                                   0700 | S_IFBLK,
> +                                   sb.st_rdev,
> +                                   vm,
> +                                   dev,
> +                                   def->source.caps.u.storage.block) < 0) {
> +        if (virCgroupDenyDevicePath(priv->cgroup,
> +                                    def->source.caps.u.storage.block,
> +                                    VIR_CGROUP_DEVICE_RWM) != 0)
> +            VIR_WARN("cannot deny device %s for domain %s",
> +                     def->source.caps.u.storage.block, vm->def->name);
> +        goto cleanup;

Same problem as in 10/14 about no audit of cleanup attempts.  And again,
something probably worth fixing in its own patch, so for this one:

ACK.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140207/ca8aedf4/attachment-0001.sig>


More information about the libvir-list mailing list