[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 13/14] Avoid unsafe use of /proc/$PID/root in LXC chardev hostdev hotplug



On 02/07/2014 08:33 AM, Daniel P. Berrange wrote:
> Rewrite lxcDomainAttachDeviceHostdevMisceLive function

s/Misce/Misc/

> to use the virProcessRunInMountNamespace helper. This avoids
> risk of a malicious guest replacing /dev with a absolute
> symlink, tricking the driver into changing the host OS
> filesystem.
> 
> Signed-off-by: Daniel P. Berrange <berrange redhat com>
> ---
>  src/lxc/lxc_driver.c | 66 ++++++++++++++--------------------------------------
>  1 file changed, 18 insertions(+), 48 deletions(-)
> 

> +    if (virCgroupAllowDevicePath(priv->cgroup,
> +                                 def->source.caps.u.misc.chardev,
> +                                 VIR_CGROUP_DEVICE_RWM) != 0) {

Again, why make cgroup do another stat of the host-side name, when we've
already done a stat and could tell cgroup to operate on major:minor?


> +                                   def->source.caps.u.misc.chardev) < 0) {
> +        if (virCgroupDenyDevicePath(priv->cgroup,
> +                                    def->source.caps.u.misc.chardev,
> +                                    VIR_CGROUP_DEVICE_RWM) != 0)
> +            VIR_WARN("cannot deny device %s for domain %s",
> +                     def->source.caps.u.storage.block, vm->def->name);
>          goto cleanup;

And same issue on no auditing of deny on the failure path.

ACK.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]