[Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Dr. David Alan Gilbert
dgilbert at redhat.com
Thu Jul 23 17:55:38 UTC 2020
* Stefan Hajnoczi (stefanha at redhat.com) wrote:
> On Wed, Jul 22, 2020 at 08:03:18PM +0100, Dr. David Alan Gilbert wrote:
> > * Stefan Hajnoczi (stefanha at redhat.com) wrote:
> > > + /*
> > > + * Make the shared directory the file system root so that FUSE_OPEN
> > > + * (lo_open()) cannot escape the shared directory by opening a symlink.
> > > + *
> > > + * It's still possible to escape the chroot via lo->proc_self_fd but that
> > > + * requires gaining control of the process first.
> > > + */
> > > + if (chroot(lo->source) != 0) {
> > > + fuse_log(FUSE_LOG_ERR, "chroot(\"%s\"): %m\n", lo->source);
> > > + exit(1);
> > > + }
> >
> > I'm seeing suggestions that you should drop CAP_SYS_CHROOT after
> > chroot'ing to stop an old escape (where you create another jail inside
> > the jail and the kernel then lets you walk outside of the old one).
>
> That's already the case:
>
> 1. setup_seccomp() blocks further chroot(2) calls.
> 2. setup_capabilities() drops CAP_SYS_CHROOT.
Ah yes; could you add a comment if you respin; it's not obvious that
the capability to chroot allows you to break out of an existing chroot
you're in.
Dave
> Stefan
--
Dr. David Alan Gilbert / dgilbert at redhat.com / Manchester, UK
More information about the Virtio-fs
mailing list