[Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Stefan Hajnoczi
stefanha at redhat.com
Thu Jul 23 12:17:08 UTC 2020
On Wed, Jul 22, 2020 at 05:58:11PM +0100, Daniel P. Berrangé wrote:
> On Wed, Jul 22, 2020 at 02:02:05PM +0100, Stefan Hajnoczi wrote:
> > virtiofsd cannot run in an unprivileged container because CAP_SYS_ADMIN
> > is required to create namespaces.
> >
> > Introduce a weaker sandbox that is sufficient in container environments
> > because the container runtime already sets up namespaces. Use chroot to
> > restrict path traversal to the shared directory.
> >
> > virtiofsd loses the following:
> >
> > 1. Mount namespace. The process chroots to the shared directory but
> > leaves the mounts in place. Seccomp rejects mount(2)/umount(2)
> > syscalls.
> >
> > 2. Pid namespace. This should be fine because virtiofsd is the only
> > process running in the container.
> >
> > 3. Network namespace. This should be fine because seccomp already
> > rejects the connect(2) syscall, but an additional layer of security
> > is lost. Container runtime-specific network security policies can be
> > used drop network traffic (except for the vhost-user UNIX domain
> > socket).
>
> IIUC this relies on the fact that the container will still have
> CAP_SYS_CHROOT IOW, we still don't have a solution for running
> virtiofsd as an unprivileged user.
Yes, this still requires root in the container.
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virtio-fs/attachments/20200723/ba2baa44/attachment.sig>
More information about the Virtio-fs
mailing list