[047/104] virtiofsd: sandbox mount namespace

Message ID	20191212163904.159893-48-dgilbert@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com> To: qemu-devel@nongnu.org, stefanha@redhat.com, vgoyal@redhat.com Subject: [PATCH 047/104] virtiofsd: sandbox mount namespace Date: Thu, 12 Dec 2019 16:38:07 +0000 Message-Id: <20191212163904.159893-48-dgilbert@redhat.com> In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com> References: <20191212163904.159893-1-dgilbert@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	virtiofs daemon [all] \| expand [000/104] virtiofs daemon [all] [001/104] virtiofsd: Pull in upstream headers [002/104] virtiofsd: Pull in kernel's fuse.h [003/104] virtiofsd: Add auxiliary .c's [004/104] virtiofsd: Add fuse_lowlevel.c [005/104] virtiofsd: Add passthrough_ll [006/104] virtiofsd: Trim down imported files [007/104] virtiofsd: Format imported files to qemu style [008/104] virtiofsd: remove mountpoint dummy argument [009/104] virtiofsd: remove unused notify reply support [010/104] virtiofsd: Fix fuse_daemonize ignored return values [011/104] virtiofsd: Fix common header and define for QEMU builds [012/104] virtiofsd: Trim out compatibility code [013/104] virtiofsd: Make fsync work even if only inode is passed in [014/104] virtiofsd: Add options for virtio [015/104] virtiofsd: add -o source=PATH to help output [016/104] virtiofsd: Open vhost connection instead of mounting [017/104] virtiofsd: Start wiring up vhost-user [018/104] virtiofsd: Add main virtio loop [019/104] virtiofsd: get/set features callbacks [020/104] virtiofsd: Start queue threads [021/104] virtiofsd: Poll kick_fd for queue [022/104] virtiofsd: Start reading commands from queue [023/104] virtiofsd: Send replies to messages [024/104] virtiofsd: Keep track of replies [025/104] virtiofsd: Add Makefile wiring for virtiofsd contrib [026/104] virtiofsd: Fast path for virtio read [027/104] virtiofsd: add --fd=FDNUM fd passing option [028/104] virtiofsd: make -f (foreground) the default [029/104] virtiofsd: add vhost-user.json file [030/104] virtiofsd: add --print-capabilities option [031/104] virtiofs: Add maintainers entry [032/104] virtiofsd: passthrough_ll: create new files in caller's context [033/104] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection [034/104] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers [035/104] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers [036/104] virtiofsd: passthrough_ll: add fd_map to hide file descriptors [037/104] virtiofsd: passthrough_ll: add fallback for racy ops [038/104] virtiofsd: validate path components [039/104] virtiofsd: Plumb fuse_bufvec through to do_write_buf [040/104] virtiofsd: Pass write iov's all the way through [041/104] virtiofsd: add fuse_mbuf_iter API [042/104] virtiofsd: validate input buffer sizes in do_write_buf() [043/104] virtiofsd: check input buffer size in fuse_lowlevel.c ops [044/104] virtiofsd: prevent ".." escape in lo_do_lookup() [045/104] virtiofsd: prevent ".." escape in lo_do_readdir() [046/104] virtiofsd: use /proc/self/fd/ O_PATH file descriptor [047/104] virtiofsd: sandbox mount namespace [048/104] virtiofsd: move to an empty network namespace [049/104] virtiofsd: move to a new pid namespace [050/104] virtiofsd: add seccomp whitelist [051/104] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV [052/104] virtiofsd: cap-ng helpers [053/104] virtiofsd: Drop CAP_FSETID if client asked for it [054/104] virtiofsd: set maximum RLIMIT_NOFILE limit [055/104] virtiofsd: fix libfuse information leaks [056/104] virtiofsd: add security guide document [057/104] virtiofsd: add --syslog command-line option [058/104] virtiofsd: print log only when priority is high enough [059/104] virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level [060/104] virtiofsd: Add timestamp to the log with FUSE_LOG_DEBUG level [061/104] virtiofsd: Handle reinit [062/104] virtiofsd: Handle hard reboot [063/104] virtiofsd: Kill threads when queues are stopped [064/104] vhost-user: Print unexpected slave message types [065/104] contrib/libvhost-user: Protect slave fd with mutex [066/104] virtiofsd: passthrough_ll: add renameat2 support [067/104] virtiofsd: passthrough_ll: disable readdirplus on cache=never [068/104] virtiofsd: passthrough_ll: control readdirplus [069/104] virtiofsd: rename unref_inode() to unref_inode_lolocked() [070/104] virtiofsd: fail when parent inode isn't known in lo_do_lookup() [071/104] virtiofsd: extract root inode init into setup_root() [072/104] virtiofsd: passthrough_ll: fix refcounting on remove/rename [073/104] virtiofsd: passthrough_ll: clean up cache related options [074/104] virtiofsd: passthrough_ll: use hashtable [075/104] virtiofsd: Clean up inodes on destroy [076/104] virtiofsd: support nanosecond resolution for file timestamp [077/104] virtiofsd: fix error handling in main() [078/104] virtiofsd: cleanup allocated resource in se [079/104] virtiofsd: fix memory leak on lo.source [080/104] virtiofsd: add helper for lo_data cleanup [081/104] virtiofsd: Prevent multiply running with same vhost_user_socket [082/104] virtiofsd: enable PARALLEL_DIROPS during INIT [083/104] virtiofsd: fix incorrect error handling in lo_do_lookup [084/104] Virtiofsd: fix memory leak on fuse queueinfo [085/104] virtiofsd: Support remote posix locks [086/104] virtiofsd: use fuse_lowlevel_is_virtio() in fuse_session_destroy() [087/104] virtiofsd: prevent fv_queue_thread() vs virtio_loop() races [088/104] virtiofsd: make lo_release() atomic [089/104] virtiofsd: prevent races with lo_dirp_put() [090/104] virtiofsd: rename inode->refcount to inode->nlookup [091/104] libvhost-user: Fix some memtable remap cases [092/104] virtiofsd: add man page [093/104] virtiofsd: introduce inode refcount to prevent use-after-free [094/104] virtiofsd: do not always set FUSE_FLOCK_LOCKS [095/104] virtiofsd: convert more fprintf and perror to use fuse log infra [096/104] virtiofsd: Reset O_DIRECT flag during file open [097/104] virtiofsd: Fix data corruption with O_APPEND wirte in writeback mode [098/104] virtiofsd: add definition of fuse_buf_writev() [099/104] virtiofsd: use fuse_buf_writev to replace fuse_buf_write for better performance [100/104] virtiofsd: process requests in a thread pool [101/104] virtiofsd: prevent FUSE_INIT/FUSE_DESTROY races [102/104] virtiofsd: fix lo_destroy() resource leaks [103/104] virtiofsd: add --thread-pool-size=NUM option [104/104] virtiofsd: Convert lo_destroy to take the lo->mutex lock itself [105/104] virtiofsd: Unref old/new inodes with the same mutex lock in lo_rename()

Message ID

20191212163904.159893-48-dgilbert@redhat.com

State

New

Headers

From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org,
	stefanha@redhat.com,
	vgoyal@redhat.com
Subject: [PATCH 047/104] virtiofsd: sandbox mount namespace
Date: Thu, 12 Dec 2019 16:38:07 +0000
Message-Id: <20191212163904.159893-48-dgilbert@redhat.com>
In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com>
References: <20191212163904.159893-1-dgilbert@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

virtiofs daemon [all] | expand

Commit Message

Dr. David Alan Gilbert Dec. 12, 2019, 4:38 p.m. UTC

From: Stefan Hajnoczi <stefanha@redhat.com>

Use a mount namespace with the shared directory tree mounted at "/" and
no other mounts.

This prevents symlink escape attacks because symlink targets are
resolved only against the shared directory and cannot go outside it.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>
---
 tools/virtiofsd/passthrough_ll.c | 89 ++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)

Comments

Daniel P. Berrangé Jan. 6, 2020, 2:36 p.m. UTC | #1

On Thu, Dec 12, 2019 at 04:38:07PM +0000, Dr. David Alan Gilbert (git) wrote:
> From: Stefan Hajnoczi <stefanha@redhat.com>
> 
> Use a mount namespace with the shared directory tree mounted at "/" and
> no other mounts.
> 
> This prevents symlink escape attacks because symlink targets are
> resolved only against the shared directory and cannot go outside it.
> 
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>
> ---
>  tools/virtiofsd/passthrough_ll.c | 89 ++++++++++++++++++++++++++++++++
>  1 file changed, 89 insertions(+)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Regards,
Daniel

diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 006908f25a..606824f002 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -49,6 +49,7 @@ 
 #include <stdlib.h>
 #include <string.h>
 #include <sys/file.h>
+#include <sys/mount.h>
 #include <sys/syscall.h>
 #include <sys/xattr.h>
 #include <unistd.h>
@@ -1925,6 +1926,58 @@  static void print_capabilities(void)
     printf("}\n");
 }
 
+/* This magic is based on lxc's lxc_pivot_root() */
+static void setup_pivot_root(const char *source)
+{
+    int oldroot;
+    int newroot;
+
+    oldroot = open("/", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+    if (oldroot < 0) {
+        fuse_log(FUSE_LOG_ERR, "open(/): %m\n");
+        exit(1);
+    }
+
+    newroot = open(source, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+    if (newroot < 0) {
+        fuse_log(FUSE_LOG_ERR, "open(%s): %m\n", source);
+        exit(1);
+    }
+
+    if (fchdir(newroot) < 0) {
+        fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");
+        exit(1);
+    }
+
+    if (syscall(__NR_pivot_root, ".", ".") < 0) {
+        fuse_log(FUSE_LOG_ERR, "pivot_root(., .): %m\n");
+        exit(1);
+    }
+
+    if (fchdir(oldroot) < 0) {
+        fuse_log(FUSE_LOG_ERR, "fchdir(oldroot): %m\n");
+        exit(1);
+    }
+
+    if (mount("", ".", "", MS_SLAVE | MS_REC, NULL) < 0) {
+        fuse_log(FUSE_LOG_ERR, "mount(., MS_SLAVE | MS_REC): %m\n");
+        exit(1);
+    }
+
+    if (umount2(".", MNT_DETACH) < 0) {
+        fuse_log(FUSE_LOG_ERR, "umount2(., MNT_DETACH): %m\n");
+        exit(1);
+    }
+
+    if (fchdir(newroot) < 0) {
+        fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");
+        exit(1);
+    }
+
+    close(newroot);
+    close(oldroot);
+}
+
 static void setup_proc_self_fd(struct lo_data *lo)
 {
     lo->proc_self_fd = open("/proc/self/fd", O_PATH);
@@ -1934,6 +1987,39 @@  static void setup_proc_self_fd(struct lo_data *lo)
     }
 }
 
+/*
+ * Make the source directory our root so symlinks cannot escape and no other
+ * files are accessible.
+ */
+static void setup_mount_namespace(const char *source)
+{
+    if (unshare(CLONE_NEWNS) != 0) {
+        fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNS): %m\n");
+        exit(1);
+    }
+
+    if (mount(NULL, "/", NULL, MS_REC | MS_SLAVE, NULL) < 0) {
+        fuse_log(FUSE_LOG_ERR, "mount(/, MS_REC|MS_PRIVATE): %m\n");
+        exit(1);
+    }
+
+    if (mount(source, source, NULL, MS_BIND, NULL) < 0) {
+        fuse_log(FUSE_LOG_ERR, "mount(%s, %s, MS_BIND): %m\n", source, source);
+        exit(1);
+    }
+
+    setup_pivot_root(source);
+}
+
+/*
+ * Lock down this process to prevent access to other processes or files outside
+ * source directory.  This reduces the impact of arbitrary code execution bugs.
+ */
+static void setup_sandbox(struct lo_data *lo)
+{
+    setup_mount_namespace(lo->source);
+}
+
 int main(int argc, char *argv[])
 {
     struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
@@ -2034,6 +2120,7 @@  int main(int argc, char *argv[])
     }
 
     lo.root.fd = open(lo.source, O_PATH);
+
     if (lo.root.fd == -1) {
         fuse_log(FUSE_LOG_ERR, "open(\"%s\", O_PATH): %m\n", lo.source);
         exit(1);
@@ -2057,6 +2144,8 @@  int main(int argc, char *argv[])
     /* Must be after daemonize to get the right /proc/self/fd */
     setup_proc_self_fd(&lo);
 
+    setup_sandbox(&lo);
+
     /* Block until ctrl+c or fusermount -u */
     ret = virtio_loop(se);

[047/104] virtiofsd: sandbox mount namespace

Commit Message

Comments

Patch