[Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Vivek Goyal
vgoyal at redhat.com
Thu Apr 16 20:10:22 UTC 2020
On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> whitelisted set of capabilities that we require. This improves security in
> case virtiofsd is compromised by making it hard for an attacker to gain further
> access to the system.
Hi Stefan,
Good to see this patch. We needed to limit capabilities to reduce attack
surface.
What tests have you run to make sure this current set of whitelisted
capabilities is good enough.
Vivek
>
> Stefan Hajnoczi (2):
> virtiofsd: only retain file system capabilities
> virtiofsd: drop all capabilities in the wait parent process
>
> tools/virtiofsd/passthrough_ll.c | 51 ++++++++++++++++++++++++++++++++
> 1 file changed, 51 insertions(+)
>
> --
> 2.25.1
>
More information about the Virtio-fs
mailing list