Re: [libvirt] CVE-2013-6456 Re: [PATCHv2 0/7] lxc: honor mount namespaces
On 12/24/2013 06:45 AM, Reco wrote:
On Tue, 24 Dec 2013 06:29:11 -0700
Eric Blake <eblake(a)redhat.com> wrote:
> diff --git i/src/util/virprocess.c w/src/util/virprocess.c
> index c99b75a..e069483 100644
> --- i/src/util/virprocess.c
> +++ w/src/util/virprocess.c
> @@ -879,7 +879,7 @@ virProcessRunInMountNamespace(pid_t pid,
> goto cleanup;
> }
>
> - if ((cpid = virFork() < 0))
> + if ((cpid = virFork()) < 0)
> goto cleanup;
> if (cpid == 0) {
> /* child */
Thanks, that solves it. With this extra patch libvirtd writes to the
container's /dev/initctl only and terminates child process only.
Thanks again for the functional review. I'm still waiting for a code
review from anyone willing, since this does fix a security issue and I
don't want to introduce an unintentional regression. And I guess
there's still the need to fix the access to the namespace /dev during
device hotplog...
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 604 bytes)