[Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container
Vivek Goyal
vgoyal at redhat.com
Wed Jul 22 18:19:14 UTC 2020
On Wed, Jul 22, 2020 at 02:02:03PM +0100, Stefan Hajnoczi wrote:
> Container runtimes handle namespace setup and remove privileges needed by
> virtiofsd to perform sandboxing. Luckily the container environment already
> provides most of the sandbox that virtiofsd needs for security.
>
> Introduce a new "virtiofsd -o chroot" option that uses chroot(2) instead of
> namespaces. This option allows virtiofsd to work inside a container.
>
> Please see the individual patches for details on the changes and security
> implications.
>
> Given that people are starting to attempt running virtiofsd in containers I
> think this should go into QEMU 5.1.
Hi Stefan,
I have written a document to help with testing virtiofs with any changes.
https://github.com/rhvgoyal/misc/blob/master/virtiofs-tests/virtio-fs-testing-requirement.txt
Will be good to run some of these tests to make sure there are no
regressions due to these changes.
Thanks
Vivek
>
> Stefan Hajnoczi (3):
> virtiofsd: drop CAP_DAC_READ_SEARCH
> virtiofsd: add container-friendly -o chroot sandboxing option
> virtiofsd: probe unshare(CLONE_FS) and print an error
>
> tools/virtiofsd/fuse_virtio.c | 13 +++++++++
> tools/virtiofsd/helper.c | 3 +++
> tools/virtiofsd/passthrough_ll.c | 45 +++++++++++++++++++++++++++++---
> 3 files changed, 58 insertions(+), 3 deletions(-)
>
> --
> 2.26.2
>
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs at redhat.com
> https://www.redhat.com/mailman/listinfo/virtio-fs
More information about the Virtio-fs
mailing list