[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 047/104] virtiofsd: sandbox mount namespace
From: |
Dr. David Alan Gilbert (git) |
Subject: |
[PATCH 047/104] virtiofsd: sandbox mount namespace |
Date: |
Thu, 12 Dec 2019 16:38:07 +0000 |
From: Stefan Hajnoczi <address@hidden>
Use a mount namespace with the shared directory tree mounted at "/" and
no other mounts.
This prevents symlink escape attacks because symlink targets are
resolved only against the shared directory and cannot go outside it.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Peng Tao <address@hidden>
---
tools/virtiofsd/passthrough_ll.c | 89 ++++++++++++++++++++++++++++++++
1 file changed, 89 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 006908f25a..606824f002 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -49,6 +49,7 @@
#include <stdlib.h>
#include <string.h>
#include <sys/file.h>
+#include <sys/mount.h>
#include <sys/syscall.h>
#include <sys/xattr.h>
#include <unistd.h>
@@ -1925,6 +1926,58 @@ static void print_capabilities(void)
printf("}\n");
}
+/* This magic is based on lxc's lxc_pivot_root() */
+static void setup_pivot_root(const char *source)
+{
+ int oldroot;
+ int newroot;
+
+ oldroot = open("/", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+ if (oldroot < 0) {
+ fuse_log(FUSE_LOG_ERR, "open(/): %m\n");
+ exit(1);
+ }
+
+ newroot = open(source, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+ if (newroot < 0) {
+ fuse_log(FUSE_LOG_ERR, "open(%s): %m\n", source);
+ exit(1);
+ }
+
+ if (fchdir(newroot) < 0) {
+ fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");
+ exit(1);
+ }
+
+ if (syscall(__NR_pivot_root, ".", ".") < 0) {
+ fuse_log(FUSE_LOG_ERR, "pivot_root(., .): %m\n");
+ exit(1);
+ }
+
+ if (fchdir(oldroot) < 0) {
+ fuse_log(FUSE_LOG_ERR, "fchdir(oldroot): %m\n");
+ exit(1);
+ }
+
+ if (mount("", ".", "", MS_SLAVE | MS_REC, NULL) < 0) {
+ fuse_log(FUSE_LOG_ERR, "mount(., MS_SLAVE | MS_REC): %m\n");
+ exit(1);
+ }
+
+ if (umount2(".", MNT_DETACH) < 0) {
+ fuse_log(FUSE_LOG_ERR, "umount2(., MNT_DETACH): %m\n");
+ exit(1);
+ }
+
+ if (fchdir(newroot) < 0) {
+ fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");
+ exit(1);
+ }
+
+ close(newroot);
+ close(oldroot);
+}
+
static void setup_proc_self_fd(struct lo_data *lo)
{
lo->proc_self_fd = open("/proc/self/fd", O_PATH);
@@ -1934,6 +1987,39 @@ static void setup_proc_self_fd(struct lo_data *lo)
}
}
+/*
+ * Make the source directory our root so symlinks cannot escape and no other
+ * files are accessible.
+ */
+static void setup_mount_namespace(const char *source)
+{
+ if (unshare(CLONE_NEWNS) != 0) {
+ fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNS): %m\n");
+ exit(1);
+ }
+
+ if (mount(NULL, "/", NULL, MS_REC | MS_SLAVE, NULL) < 0) {
+ fuse_log(FUSE_LOG_ERR, "mount(/, MS_REC|MS_PRIVATE): %m\n");
+ exit(1);
+ }
+
+ if (mount(source, source, NULL, MS_BIND, NULL) < 0) {
+ fuse_log(FUSE_LOG_ERR, "mount(%s, %s, MS_BIND): %m\n", source, source);
+ exit(1);
+ }
+
+ setup_pivot_root(source);
+}
+
+/*
+ * Lock down this process to prevent access to other processes or files outside
+ * source directory. This reduces the impact of arbitrary code execution bugs.
+ */
+static void setup_sandbox(struct lo_data *lo)
+{
+ setup_mount_namespace(lo->source);
+}
+
int main(int argc, char *argv[])
{
struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
@@ -2034,6 +2120,7 @@ int main(int argc, char *argv[])
}
lo.root.fd = open(lo.source, O_PATH);
+
if (lo.root.fd == -1) {
fuse_log(FUSE_LOG_ERR, "open(\"%s\", O_PATH): %m\n", lo.source);
exit(1);
@@ -2057,6 +2144,8 @@ int main(int argc, char *argv[])
/* Must be after daemonize to get the right /proc/self/fd */
setup_proc_self_fd(&lo);
+ setup_sandbox(&lo);
+
/* Block until ctrl+c or fusermount -u */
ret = virtio_loop(se);
--
2.23.0
- [PATCH 038/104] virtiofsd: validate path components, (continued)
- [PATCH 038/104] virtiofsd: validate path components, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 040/104] virtiofsd: Pass write iov's all the way through, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 039/104] virtiofsd: Plumb fuse_bufvec through to do_write_buf, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 035/104] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 041/104] virtiofsd: add fuse_mbuf_iter API, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 042/104] virtiofsd: validate input buffer sizes in do_write_buf(), Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 044/104] virtiofsd: prevent ".." escape in lo_do_lookup(), Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 045/104] virtiofsd: prevent ".." escape in lo_do_readdir(), Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 043/104] virtiofsd: check input buffer size in fuse_lowlevel.c ops, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 046/104] virtiofsd: use /proc/self/fd/ O_PATH file descriptor, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 047/104] virtiofsd: sandbox mount namespace,
Dr. David Alan Gilbert (git) <=
- [PATCH 048/104] virtiofsd: move to an empty network namespace, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 049/104] virtiofsd: move to a new pid namespace, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 050/104] virtiofsd: add seccomp whitelist, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 051/104] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 052/104] virtiofsd: cap-ng helpers, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 053/104] virtiofsd: Drop CAP_FSETID if client asked for it, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 054/104] virtiofsd: set maximum RLIMIT_NOFILE limit, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 057/104] virtiofsd: add --syslog command-line option, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 055/104] virtiofsd: fix libfuse information leaks, Dr. David Alan Gilbert (git), 2019/12/12
- [PATCH 056/104] virtiofsd: add security guide document, Dr. David Alan Gilbert (git), 2019/12/12