[libvirt] [PATCH 13/14] Avoid unsafe use of /proc/$PID/root in LXC chardev hostdev hotplug
Eric Blake
eblake at redhat.com
Fri Feb 7 19:49:22 UTC 2014
On 02/07/2014 08:33 AM, Daniel P. Berrange wrote:
> Rewrite lxcDomainAttachDeviceHostdevMisceLive function
s/Misce/Misc/
> to use the virProcessRunInMountNamespace helper. This avoids
> risk of a malicious guest replacing /dev with a absolute
> symlink, tricking the driver into changing the host OS
> filesystem.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> src/lxc/lxc_driver.c | 66 ++++++++++++++--------------------------------------
> 1 file changed, 18 insertions(+), 48 deletions(-)
>
> + if (virCgroupAllowDevicePath(priv->cgroup,
> + def->source.caps.u.misc.chardev,
> + VIR_CGROUP_DEVICE_RWM) != 0) {
Again, why make cgroup do another stat of the host-side name, when we've
already done a stat and could tell cgroup to operate on major:minor?
> + def->source.caps.u.misc.chardev) < 0) {
> + if (virCgroupDenyDevicePath(priv->cgroup,
> + def->source.caps.u.misc.chardev,
> + VIR_CGROUP_DEVICE_RWM) != 0)
> + VIR_WARN("cannot deny device %s for domain %s",
> + def->source.caps.u.storage.block, vm->def->name);
> goto cleanup;
And same issue on no auditing of deny on the failure path.
ACK.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140207/8e625ffb/attachment-0001.sig>
More information about the libvir-list
mailing list