[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] CVE-2013-6456 Re: [PATCHv2 0/7] lxc: honor mount namespaces



On 12/24/2013 06:45 AM, Reco wrote:
> On Tue, 24 Dec 2013 06:29:11 -0700
> Eric Blake <eblake redhat com> wrote:
> 
>> diff --git i/src/util/virprocess.c w/src/util/virprocess.c
>> index c99b75a..e069483 100644
>> --- i/src/util/virprocess.c
>> +++ w/src/util/virprocess.c
>> @@ -879,7 +879,7 @@ virProcessRunInMountNamespace(pid_t pid,
>>          goto cleanup;
>>      }
>>
>> -    if ((cpid = virFork() < 0))
>> +    if ((cpid = virFork()) < 0)
>>          goto cleanup;
>>      if (cpid == 0) {
>>          /* child */
> 
> Thanks, that solves it. With this extra patch libvirtd writes to the
> container's /dev/initctl only and terminates child process only.

Thanks again for the functional review.  I'm still waiting for a code
review from anyone willing, since this does fix a security issue and I
don't want to introduce an unintentional regression.  And I guess
there's still the need to fix the access to the namespace /dev during
device hotplog...

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]