[Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Miklos Szeredi
miklos at szeredi.hu
Fri Jun 19 14:16:30 UTC 2020
On Thu, Jun 18, 2020 at 9:08 PM Vivek Goyal <vgoyal at redhat.com> wrote:
>
> On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> > whitelisted set of capabilities that we require. This improves security in
> > case virtiofsd is compromised by making it hard for an attacker to gain further
> > access to the system.
>
> Hi Stefan,
>
> I just noticed that this patch set breaks overlayfs on top of virtiofs.
How so? Virtiofs isn't mounting overlayfs, is it? Only the mounter
requires CAP_SYS_ADMIN, not the accessor.
Thanks,
Miklos
More information about the Virtio-fs
mailing list