Re: [libvirt] [PATCH 12/14] Avoid unsafe use of /proc/$PID/root in LXC block hostdev hotplug
On 02/07/2014 08:33 AM, Daniel P. Berrange wrote:
Rewrite lxcDomainAttachDeviceHostdevStorageLive function
to use the virProcessRunInMountNamespace helper. This avoids
risk of a malicious guest replacing /dev with a absolute
symlink, tricking the driver into changing the host OS
filesystem.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_driver.c | 64 ++++++++++++++--------------------------------------
1 file changed, 17 insertions(+), 47 deletions(-)
+ if (virCgroupAllowDevicePath(priv->cgroup,
+ def->source.caps.u.storage.block,
+ VIR_CGROUP_DEVICE_RWM) != 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot allow device %s for domain %s"),
def->source.caps.u.storage.block, vm->def->name);
Here, I think we're okay setting up cgroup by name - because it is the
host-visible name, not the guest-visible name, and cgroup just stat()s
the host name to use the major:minor anyways. But since we already have
sb.st_rdev, why not avoid a second stat() and just tell cgroup to change
by major:minor in the first place?
goto cleanup;
}
+ if (lxcDomainAttachDeviceMknod(driver,
+ 0700 | S_IFBLK,
+ sb.st_rdev,
+ vm,
+ dev,
+ def->source.caps.u.storage.block) < 0) {
+ if (virCgroupDenyDevicePath(priv->cgroup,
+ def->source.caps.u.storage.block,
+ VIR_CGROUP_DEVICE_RWM) != 0)
+ VIR_WARN("cannot deny device %s for domain %s",
+ def->source.caps.u.storage.block, vm->def->name);
+ goto cleanup;
Same problem as in 10/14 about no audit of cleanup attempts. And again,
something probably worth fixing in its own patch, so for this one:
ACK.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 604 bytes)