[Virtio-fs] [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
Miklos Szeredi
mszeredi at redhat.com
Mon Jan 25 16:12:23 UTC 2021
On Thu, Jan 21, 2021 at 3:44 PM Stefan Hajnoczi <stefanha at redhat.com> wrote:
> This patch adds the missing checks to virtiofsd. This is a short-term
> solution because it does not prevent a compromised virtiofsd process
> from opening device nodes on the host.
I think the proper solution is adding support to the host in order to
restrict opens on filesystems that virtiofsd has access to.
My idea was to add a "force_nodev" mount option that cannot be
disabled and will make propagated mounts also be marked
"force_nodev,nodev".
A possibly simpler solution is to extend seccomp to restrict the
process itself from being able to open special files. Not sure if
that's within the scope of seccomp though.
Thanks,
Miklos
More information about the Virtio-fs
mailing list