[Virtio-fs] [virtiofsd] MR opened: passthrough: Replace `openat(2)` with `openat2(2)`
virtiofs-bot at sinrega.org
virtiofs-bot at sinrega.org
Tue Oct 18 19:04:05 UTC 2022
Although it is not a sandboxing solution Using `openat2(2)` with
`RESOLVE_IN_ROOT` and `RESOLVE_NO_MAGICLINKS` add a bit more security
especially if running as non-root and no sandboxing option is available.
This was requested to be able to run inside an OpenShift unprivileged
pod where "virtiofsd is already in a container". The OSP seccomp policy
denies CLONE_NEWUSER and NO_NEW_PRIVILEGES is turn on by default.
This could be useful in combination with !136, related: #63
---
https://gitlab.com/virtio-fs/virtiofsd/-/merge_requests/141
More information about the Virtio-fs
mailing list