[Virtio-fs] [PATCH] virtiofsd: avoid /proc/self/fd tempdir
Jens Freimann
jfreimann at redhat.com
Tue Oct 6 13:43:38 UTC 2020
On Tue, Oct 06, 2020 at 10:58:26AM +0100, Stefan Hajnoczi wrote:
>In order to prevent /proc/self/fd escapes a temporary directory is
>created where /proc/self/fd is bind-mounted. This doesn't work on
>read-only file systems.
>
>Avoid the temporary directory by bind-mounting /proc/self/fd over /proc.
>This does not affect other processes since we remounted / with MS_REC |
>MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to
>do this.
>
>Path traversal can be tested with the following function:
>
> static void test_proc_fd_escape(struct lo_data *lo)
> {
> int fd;
> int level = 0;
> ino_t last_ino = 0;
>
> fd = lo->proc_self_fd;
> for (;;) {
> struct stat st;
>
> if (fstat(fd, &st) != 0) {
> perror("fstat");
> return;
> }
> if (last_ino && st.st_ino == last_ino) {
> fprintf(stderr, "inode number unchanged, stopping\n");
> return;
> }
> last_ino = st.st_ino;
>
> fprintf(stderr, "Level %d dev %lu ino %lu\n", level,
> (unsigned long)st.st_dev,
> (unsigned long)last_ino);
> fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW);
> level++;
> }
> }
>
>Before and after this patch only Level 0 is displayed. Without
>/proc/self/fd bind-mount protection it is possible to traverse parent
>directories.
>
>Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd")
>Cc: Miklos Szeredi <mszeredi at redhat.com>
>Cc: Jens Freimann <jfreimann at redhat.com>
>Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Thanks Stefan, it fixes the problem we had!
Tested-by: Jens Freimann <jfreimann at redhat.com>
Reviewed-by: Jens Freimann <jfreimann at redhat.com>
regards,
Jens
More information about the Virtio-fs
mailing list