[Virtio-fs] [PATCH v2 3/5] virtiofsd: open /proc/self/fd/ in sandbox=NONE mode

Dr. David Alan Gilbert dgilbert at redhat.com
Fri Aug 7 17:42:16 UTC 2020


* Vivek Goyal (vgoyal at redhat.com) wrote:
> We need /proc/self/fd descriptor even in sandbox=NONE mode.
> 
> Signed-off-by: Vivek Goyal <vgoyal at redhat.com>
> ---
>  tools/virtiofsd/passthrough_ll.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> index cd91c4a831..76ef891105 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -2969,6 +2969,15 @@ static void setup_capabilities(char *modcaps_in)
>      pthread_mutex_unlock(&cap.mutex);
>  }
>  
> +static void setup_none(struct lo_data *lo)

'setup_none' is not the most obvious name; setup_sandbox_none ?

> +{
> +    lo->proc_self_fd = open("/proc/self/fd", O_PATH);
> +    if (lo->proc_self_fd == -1) {
> +        fuse_log(FUSE_LOG_ERR, "open(\"/proc/self/fd\", O_PATH): %m\n");
> +        exit(1);
> +    }
> +}
> +
>  /*
>   * Use chroot as a weaker sandbox for environments where the process is
>   * launched without CAP_SYS_ADMIN.
> @@ -3014,8 +3023,10 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
>      if (lo->sandbox == SANDBOX_NAMESPACE) {
>          setup_namespaces(lo, se);
>          setup_mounts(lo->source);
> -    } else {
> +    } else if (lo->sandbox == SANDBOX_CHROOT) {
>          setup_chroot(lo);
> +    } else {
> +        setup_none(lo);
>      }
>  
>      setup_seccomp(enable_syslog);
> -- 
> 2.25.4
> 
-- 
Dr. David Alan Gilbert / dgilbert at redhat.com / Manchester, UK




More information about the Virtio-fs mailing list