Re: [libvirt] CVE-2013-6456 Re: [PATCHv2 0/7] lxc: honor mount namespaces

On 12/24/2013 06:45 AM, Reco wrote: > On Tue, 24 Dec 2013 06:29:11 -0700 > Eric Blake <eblake(a)redhat.com&gt; wrote: > >> diff --git i/src/util/virprocess.c w/src/util/virprocess.c >> index c99b75a..e069483 100644 >> --- i/src/util/virprocess.c >> +++ w/src/util/virprocess.c >> @@ -879,7 +879,7 @@ virProcessRunInMountNamespace(pid_t pid, >> goto cleanup; >> } >> >> - if ((cpid = virFork() < 0)) >> + if ((cpid = virFork()) < 0) >> goto cleanup; >> if (cpid == 0) { >> /* child */ > > Thanks, that solves it. With this extra patch libvirtd writes to the > container's /dev/initctl only and terminates child process only. Thanks again for the functional review. I'm still waiting for a code review from anyone willing, since this does fix a security issue and I don't want to introduce an unintentional regression. And I guess there's still the need to fix the access to the namespace /dev during device hotplog...