| Message ID | 20200730194736.173994-2-vgoyal@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | virtiofsd: Add a unprivileged passthrough mode | expand |
* Vivek Goyal (vgoyal@redhat.com) wrote: > At startup if we are running as non-root user, then internally set > unpriviliged mode set. Also add a notion of sandbox NONE and set > that internally in unprivileged mode. setting up namespaces and > chroot() fails in unpriviliged mode. > > Signed-off-by: Vivek Goyal <vgoyal@redhat.com> > --- > tools/virtiofsd/passthrough_ll.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c > index e2fbc614fd..cd91c4a831 100644 > --- a/tools/virtiofsd/passthrough_ll.c > +++ b/tools/virtiofsd/passthrough_ll.c > @@ -147,11 +147,13 @@ enum { > enum { > SANDBOX_NAMESPACE, > SANDBOX_CHROOT, > + SANDBOX_NONE, > }; > > struct lo_data { > pthread_mutex_t mutex; > int sandbox; > + bool unprivileged; > int debug; > int writeback; > int flock; > @@ -3288,6 +3290,12 @@ int main(int argc, char *argv[]) > lo_map_init(&lo.dirp_map); > lo_map_init(&lo.fd_map); > > + if (geteuid() != 0) { > + lo.unprivileged = true; > + lo.sandbox = SANDBOX_NONE; > + fuse_log(FUSE_LOG_DEBUG, "Running in unprivileged passthrough mode.\n"); > + } I don't like this being automatic; to switch to a less secure mode, the user should have to explicitly ask for it; we don't want people accidentally ending up with less security. Also, I'm not sure that checking for geteuid() != 0 is the right test - wouldn't the current virtiofsd run with a non-root user as long as it had the correct capabilities? I was doing to suggest we match cloud-hypervisor where we added --disable-sandbox; but with this we now have a trinary switch; so sandbox=none is probably the right way. Dave > if (fuse_parse_cmdline(&args, &opts) != 0) { > goto err_out1; > } > -- > 2.25.4 >
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c index e2fbc614fd..cd91c4a831 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -147,11 +147,13 @@ enum { enum { SANDBOX_NAMESPACE, SANDBOX_CHROOT, + SANDBOX_NONE, }; struct lo_data { pthread_mutex_t mutex; int sandbox; + bool unprivileged; int debug; int writeback; int flock; @@ -3288,6 +3290,12 @@ int main(int argc, char *argv[]) lo_map_init(&lo.dirp_map); lo_map_init(&lo.fd_map); + if (geteuid() != 0) { + lo.unprivileged = true; + lo.sandbox = SANDBOX_NONE; + fuse_log(FUSE_LOG_DEBUG, "Running in unprivileged passthrough mode.\n"); + } + if (fuse_parse_cmdline(&args, &opts) != 0) { goto err_out1; }
At startup if we are running as non-root user, then internally set unpriviliged mode set. Also add a notion of sandbox NONE and set that internally in unprivileged mode. setting up namespaces and chroot() fails in unpriviliged mode. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> --- tools/virtiofsd/passthrough_ll.c | 8 ++++++++ 1 file changed, 8 insertions(+)