[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 35/77] virtiofsd: Whitelist fchmod
From: |
Michael Roth |
Subject: |
[PATCH 35/77] virtiofsd: Whitelist fchmod |
Date: |
Thu, 3 Sep 2020 15:58:53 -0500 |
From: Max Reitz <mreitz@redhat.com>
lo_setattr() invokes fchmod() in a rarely used code path, so it should
be whitelisted or virtiofsd will crash with EBADSYS.
Said code path can be triggered for example as follows:
On the host, in the shared directory, create a file with the sticky bit
set and a security.capability xattr:
(1) # touch foo
(2) # chmod u+s foo
(3) # setcap '' foo
Then in the guest let some process truncate that file after it has
dropped all of its capabilities (at least CAP_FSETID):
int main(int argc, char *argv[])
{
capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
capng_apply(CAPNG_SELECT_BOTH);
ftruncate(open(argv[1], O_RDWR), 0);
}
This will cause the guest kernel to drop the sticky bit (i.e. perform a
mode change) as part of the truncate (where FATTR_FH is set), and that
will cause virtiofsd to invoke fchmod() instead of fchmodat().
(A similar configuration exists further below with futimens() vs.
utimensat(), but the former is not a syscall but just a wrapper for the
latter, so no further whitelisting is required.)
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
Reported-by: Qian Cai <caiqian@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20200608093111.14942-1-mreitz@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 63659fe74e76f5c5285466f0c5cfbdca65b3688e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
tools/virtiofsd/seccomp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
index bd9e7b083c..3b1522acdd 100644
--- a/tools/virtiofsd/seccomp.c
+++ b/tools/virtiofsd/seccomp.c
@@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
SCMP_SYS(exit_group),
SCMP_SYS(fallocate),
SCMP_SYS(fchdir),
+ SCMP_SYS(fchmod),
SCMP_SYS(fchmodat),
SCMP_SYS(fchownat),
SCMP_SYS(fcntl),
--
2.17.1
- [PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid", (continued)
- [PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid", Michael Roth, 2020/09/03
- [PATCH 02/77] target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*, Michael Roth, 2020/09/03
- [PATCH 32/77] acpi: accept byte and word access to core ACPI registers, Michael Roth, 2020/09/03
- [PATCH 31/77] xhci: fix valid.max_access_size to access address registers, Michael Roth, 2020/09/03
- [PATCH 34/77] hw/net/e1000e: Do not abort() on invalid PSRCTL register value, Michael Roth, 2020/09/03
- [PATCH 40/77] nbd: Avoid off-by-one in long export name truncation, Michael Roth, 2020/09/03
- [PATCH 33/77] hw/display/artist: Unbreak size mismatch memory accesses, Michael Roth, 2020/09/03
- [PATCH 39/77] usb/dev-mtp: Fix Error double free after inotify failure, Michael Roth, 2020/09/03
- [PATCH 03/77] qemu-nbd: Close inherited stderr, Michael Roth, 2020/09/03
- [PATCH 30/77] hw/riscv: Allow 64 bit access to SiFive CLINT, Michael Roth, 2020/09/03
- [PATCH 35/77] virtiofsd: Whitelist fchmod,
Michael Roth <=
- [PATCH 38/77] error: Use error_reportf_err() where appropriate, Michael Roth, 2020/09/03
- [PATCH 41/77] chardev/tcp: Fix error message double free error, Michael Roth, 2020/09/03
- [PATCH 42/77] qga: fix assert regression on guest-shutdown, Michael Roth, 2020/09/03
- [PATCH 36/77] hw/audio/gus: Fix registers 32-bit access, Michael Roth, 2020/09/03
- [PATCH 37/77] net/virtio: Fix failover_replug_primary() return value regression, Michael Roth, 2020/09/03
- [PATCH 43/77] util: Introduce qemu_get_host_name(), Michael Roth, 2020/09/03
- [PATCH 44/77] qga: Use qemu_get_host_name() instead of g_get_host_name(), Michael Roth, 2020/09/03
- [PATCH 45/77] docs/orangepi: Add instructions for resizing SD image to power of two, Michael Roth, 2020/09/03
- [PATCH 46/77] tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd', Michael Roth, 2020/09/03
- [PATCH 48/77] tests/acceptance: refactor boot_linux to allow code reuse, Michael Roth, 2020/09/03