[Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container
Stefan Hajnoczi
stefanha at redhat.com
Wed Jul 22 13:02:03 UTC 2020
Container runtimes handle namespace setup and remove privileges needed by
virtiofsd to perform sandboxing. Luckily the container environment already
provides most of the sandbox that virtiofsd needs for security.
Introduce a new "virtiofsd -o chroot" option that uses chroot(2) instead of
namespaces. This option allows virtiofsd to work inside a container.
Please see the individual patches for details on the changes and security
implications.
Given that people are starting to attempt running virtiofsd in containers I
think this should go into QEMU 5.1.
Stefan Hajnoczi (3):
virtiofsd: drop CAP_DAC_READ_SEARCH
virtiofsd: add container-friendly -o chroot sandboxing option
virtiofsd: probe unshare(CLONE_FS) and print an error
tools/virtiofsd/fuse_virtio.c | 13 +++++++++
tools/virtiofsd/helper.c | 3 +++
tools/virtiofsd/passthrough_ll.c | 45 +++++++++++++++++++++++++++++---
3 files changed, 58 insertions(+), 3 deletions(-)
--
2.26.2
More information about the Virtio-fs
mailing list