[Virtio-fs] Securing file handles
Miklos Szeredi
mszeredi at redhat.com
Wed Mar 17 15:13:37 UTC 2021
[CC] David Howells.
On Wed, Mar 17, 2021 at 2:19 PM Vivek Goyal <vgoyal at redhat.com> wrote:
>
> On Tue, Mar 16, 2021 at 06:28:24PM +0100, Max Reitz wrote:
> > One thing that also needs to be solved is how to specify a persistent key.
> > I suppose the idea in your patch is to generate a random key for every new
> > process, but we would need a persistent key. With a service process, it
> > could be configured by the user to use a specific key, or perhaps it has
> > kind of small database and virtiofsd selects its persistent key by a hash of
> > it or some other ID that it has received from the service process.
> >
> > I don’t know how you’d go making the kernel store persistent keys, though.
>
> Is it possible to load persistent key from user space into a keyring
> using keyctl.
Context for David:
We'd like unprivileged open_by_handle_at(2). One idea is for the
kernel to authenticate file handles (add an authentication header)
using a secret key, so that unprivileged open_by_handle_at() only
works on handles obtained through file_to_handle_at(), and will reject
any maliciously crafted file handles.
So the question is how the authentication keys should be managed.
The unprivileged process must not have access to the key, obviously,
but it should be possible to save the key across restarts.
Any ideas?
Thanks,
Miklos
More information about the Virtio-fs
mailing list