[Virtio-fs] [PATCH] virtiofsd: jail lo->proc_self_fd
Miklos Szeredi
mszeredi at redhat.com
Wed Apr 29 14:50:38 UTC 2020
On Wed, Apr 29, 2020 at 4:47 PM Miklos Szeredi <mszeredi at redhat.com> wrote:
>
> On Wed, Apr 29, 2020 at 4:36 PM Vivek Goyal <vgoyal at redhat.com> wrote:
> >
> > On Wed, Apr 29, 2020 at 02:47:33PM +0200, Miklos Szeredi wrote:
> > > While it's not possible to escape the proc filesystem through
> > > lo->proc_self_fd, it is possible to escape to the root of the proc
> > > filesystem itself through "../..".
> >
> > Hi Miklos,
> >
> > So this attack will work with some form of *at(lo->proc_self_fd, "../..")
> > call?
>
> Right.
>
> >
> > >
> > > Use a temporary mount for opening lo->proc_self_fd, that has it's root at
> > > /proc/self/fd/, preventing access to the ancestor directories.
> >
> > Does this mean that now similar attack can happen using "../.." on tmpdir
> > fd instead and be able to look at peers of tmpdir. Or it is blocked
> > due to mount point or something else.
>
> No, because tmpdir is detached, the root of that tree will be the
> directory pointed to by the fd. ".." will just lead to the same
> directory.
BTW, I would have liked to do this without a temp directory, but
apparently the fancy new mount stuff isn't up to this task, or at
least I haven't figured out yet.
Thanks,
Miklos
More information about the Virtio-fs
mailing list