[Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Vivek Goyal
vgoyal at redhat.com
Fri Jun 19 14:25:08 UTC 2020
On Fri, Jun 19, 2020 at 04:16:30PM +0200, Miklos Szeredi wrote:
> On Thu, Jun 18, 2020 at 9:08 PM Vivek Goyal <vgoyal at redhat.com> wrote:
> >
> > On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> > > whitelisted set of capabilities that we require. This improves security in
> > > case virtiofsd is compromised by making it hard for an attacker to gain further
> > > access to the system.
> >
> > Hi Stefan,
> >
> > I just noticed that this patch set breaks overlayfs on top of virtiofs.
>
> How so? Virtiofs isn't mounting overlayfs, is it? Only the mounter
> requires CAP_SYS_ADMIN, not the accessor.
virtiofsd needs CAP_SYS_ADMIN, otherwise fsetxattr(trusted.overlay.opaque)
fails in lo_setxattr().
This is triggered when we mount overlayfs on top of virtiofs and overlayfs
tries to set OVL_XATTR_OPAQUE on upper to check if trusted xattrs are
supported or not.
Thanks
Vivek
More information about the Virtio-fs
mailing list