Re: [libvirt] [PATCH 8/8] Avoid unsafe use of /proc/$PID/root in LXC hotunplug code
On 02/17/2014 09:39 AM, Daniel P. Berrange wrote:
Rewrite multiple hotunplug functions to to use the
virProcessRunInMountNamespace helper. This avoids
risk of a malicious guest replacing /dev with a absolute
s/a absolute/an absolute/
symlink, tricking the driver into changing the host OS
filesystem.
Worth mentioning the CVE number in any of these commits? Are you
planning on backporting to stable branches, or could you use some help
on that front?
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_driver.c | 79 ++++++++++++++++++++++++++--------------------------
1 file changed, 39 insertions(+), 40 deletions(-)
ACK.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 604 bytes)