[Virtio-fs] Securing file handles
Max Reitz
mreitz at redhat.com
Tue Mar 16 17:28:24 UTC 2021
On 08.03.21 15:50, Miklos Szeredi wrote:
> On Mon, Mar 8, 2021 at 2:39 PM Max Reitz <mreitz at redhat.com> wrote:
>
>> Admittedly I’m not yet at the point where I feel comfortable doing
>> changes to the kernel at all, so if you have the time, I’d appreciate
>> it. (If you don’t really have the time, I could try my hand first and
>> then we’d see.)
>
> I'd hate to context switch away from the fuse leases to the kernel
> crypto, so it would have to wait some time...
>
> But I've attached an incomplete patch that just missing the crypto
> bits and testing.
>
> Would you mind having a go at it?
Thanks, I’ll look into the crypto stuff and have a go. (Sorry for the
delay...)
I’d still prefer a service process instead of putting this in the
kernel, but let’s see how complicated it would be. I suppose one
problem with putting it into a service process is that doing so wouldn’t
help with containers: If containers don’t allow CAP_DAC_READ_SEARCH, we
I suppose it’ll be difficult to give it even to such a service process.
One thing that also needs to be solved is how to specify a persistent
key. I suppose the idea in your patch is to generate a random key for
every new process, but we would need a persistent key. With a service
process, it could be configured by the user to use a specific key, or
perhaps it has kind of small database and virtiofsd selects its
persistent key by a hash of it or some other ID that it has received
from the service process.
I don’t know how you’d go making the kernel store persistent keys, though.
Max
>> So AFAIU you want to put this in the kernel so we can get rid of needing
>> the capability, because when you can only open handles that were
>> previously generated for you, there wouldn’t be a security problem, right?
>
> Something like that.
>
>> But what about cases where a file is made inaccessible to some process
>> between generating the handle and later opening it? E.g. in
>> /path/to/file, the “to” directory is changed to go-x (and the current
>> user is not the owner), so opening /path/to/file wouldn’t be possible by
>> path anymore. Sure, if the FD remained open, you could still open the
>> file anyway; but I consider it different in semantics. (E.g. you could
>> check that there are no processes that have “file” open anymore, and so
>> you could assume that it’s now inaccessible.)
>
> That could be a concern, yes. Requiring CAP_DAC_READ_SEARCH in the
> current user namespace, as my template patch does, might mitigate
> those worries somewhat.
>
> Thanks,
> Miklos
>
More information about the Virtio-fs
mailing list