| Message ID | 20191016160157.12414-2-stefanha@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | virtiofsd: add net and pid namespace sandboxing | expand |
* Stefan Hajnoczi (stefanha@redhat.com) wrote: > If the process is compromised there should be no network access. Use an > empty network namespace to sandbox networking. > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> > --- > contrib/virtiofsd/passthrough_ll.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthrough_ll.c > index 84b60d85bd..c27ff7d800 100644 > --- a/contrib/virtiofsd/passthrough_ll.c > +++ b/contrib/virtiofsd/passthrough_ll.c > @@ -2736,6 +2736,19 @@ static void setup_shared_versions(struct lo_data *lo) > lo->version_table = addr; > } > > +/* > + * Called after our UNIX domain sockets have been created, now we can move to > + * an empty network namespace to prevent TCP/IP and other network activity in > + * case this process is compromised. > + */ > +static void setup_net_namespace(void) > +{ > + if (unshare(CLONE_NEWNET) != 0) { > + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNET): %m\n"); > + exit(1); > + } > +} > + > /* This magic is based on lxc's lxc_pivot_root() */ > static void setup_pivot_root(const char *source) > { > @@ -2818,6 +2831,7 @@ static void setup_mount_namespace(const char *source) > */ > static void setup_sandbox(struct lo_data *lo, bool enable_syslog) > { > + setup_net_namespace(); > setup_mount_namespace(lo->source); > setup_seccomp(enable_syslog); > } > -- > 2.21.0 > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthrough_ll.c index 84b60d85bd..c27ff7d800 100644 --- a/contrib/virtiofsd/passthrough_ll.c +++ b/contrib/virtiofsd/passthrough_ll.c @@ -2736,6 +2736,19 @@ static void setup_shared_versions(struct lo_data *lo) lo->version_table = addr; } +/* + * Called after our UNIX domain sockets have been created, now we can move to + * an empty network namespace to prevent TCP/IP and other network activity in + * case this process is compromised. + */ +static void setup_net_namespace(void) +{ + if (unshare(CLONE_NEWNET) != 0) { + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNET): %m\n"); + exit(1); + } +} + /* This magic is based on lxc's lxc_pivot_root() */ static void setup_pivot_root(const char *source) { @@ -2818,6 +2831,7 @@ static void setup_mount_namespace(const char *source) */ static void setup_sandbox(struct lo_data *lo, bool enable_syslog) { + setup_net_namespace(); setup_mount_namespace(lo->source); setup_seccomp(enable_syslog); }
If the process is compromised there should be no network access. Use an empty network namespace to sandbox networking. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> --- contrib/virtiofsd/passthrough_ll.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)