[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/2] virtiofsd: add net and pid namespace sandboxing
|
From: |
Stefan Hajnoczi |
|
Subject: |
[PATCH 0/2] virtiofsd: add net and pid namespace sandboxing |
|
Date: |
Wed, 16 Oct 2019 17:01:55 +0100 |
These patches are based on gitlab.com/virtio-fs/qemu.git virtio-fs-dev.
virtiofsd is sandboxed so that it does not have access to the system in the
event that the process is compromised. At the moment we use seccomp and mount
namespaces to restrict the list of allowed syscalls and only give access to the
shared directory.
This patch series enhances sandboxing by putting virtiofsd into an empty
network and pid namespace. If the process is compromised it will be unable to
perform network activity, even to localhost services running on the host. It
will also be unable to see other processes running on the system since it runs
as pid 1 in a new pid namespace.
These enhancements are inspired by the Crosvm virtio-fs device's jail
configuration.
Stefan Hajnoczi (2):
virtiofsd: move to an empty network namespace
virtiofsd: move to a new pid namespace
contrib/virtiofsd/passthrough_ll.c | 109 +++++++++++++++++++++++------
1 file changed, 86 insertions(+), 23 deletions(-)
--
2.21.0
- [PATCH 0/2] virtiofsd: add net and pid namespace sandboxing,
Stefan Hajnoczi <=