[Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Stefan Hajnoczi
stefanha at redhat.com
Fri Apr 17 09:42:26 UTC 2020
On Thu, Apr 16, 2020 at 04:10:22PM -0400, Vivek Goyal wrote:
> On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> > whitelisted set of capabilities that we require. This improves security in
> > case virtiofsd is compromised by making it hard for an attacker to gain further
> > access to the system.
>
> Hi Stefan,
>
> Good to see this patch. We needed to limit capabilities to reduce attack
> surface.
>
> What tests have you run to make sure this current set of whitelisted
> capabilities is good enough.
Booting and light usage of Fedora 29 and running blogbench.
I would appreciate it if others could try it out with their
tests/workloads.
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virtio-fs/attachments/20200417/9771f3c3/attachment.sig>
More information about the Virtio-fs
mailing list