[Virtio-fs] [PATCH] virtiofsd: avoid /proc/self/fd tempdir

[Jens Freimann]

On Tue, Oct 06, 2020 at 10:58:26AM +0100, Stefan Hajnoczi wrote:
>In order to prevent /proc/self/fd escapes a temporary directory is
>created where /proc/self/fd is bind-mounted. This doesn't work on
>read-only file systems.
>
>Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
>This does not affect other processes since we remounted / with MS_REC |
>MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
>do this.
>
>Path traversal can be tested with the following function:
>
>  static void test_proc_fd_escape(struct lo_data *lo)
>  {
>      int fd;
>      int level = 0;
>      ino_t last_ino = 0;
>
>      fd = lo->proc_self_fd;
>      for (;;) {
>          struct stat st;
>
>          if (fstat(fd, &st) != 0) {
>              perror("fstat");
>              return;
>          }
>          if (last_ino && st.st_ino == last_ino) {
>              fprintf(stderr, "inode number unchanged, stopping\n");
>              return;
>          }
>          last_ino = st.st_ino;
>
>          fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
>                  (unsigned long)st.st_dev,
>                  (unsigned long)last_ino);
>          fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW);
>          level++;
>      }
>  }
>
>Before and after this patch only Level 0 is displayed. Without
>/proc/self/fd bind-mount protection it is possible to traverse parent
>directories.
>
>Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
>Cc: Miklos Szeredi <mszeredi at redhat.com>
>Cc: Jens Freimann <jfreimann at redhat.com>
>Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>

Thanks Stefan, it fixes the problem we had!

Tested-by: Jens Freimann <jfreimann at redhat.com>
Reviewed-by: Jens Freimann <jfreimann at redhat.com> 

regards,
Jens