diff mbox series

[v2,1/5] virtiofsd: Add notion of unprivileged mode

Message ID 20200730194736.173994-2-vgoyal@redhat.com
State New
Headers show
Series virtiofsd: Add a unprivileged passthrough mode | expand

Commit Message

Vivek Goyal July 30, 2020, 7:47 p.m. UTC 
At startup if we are running as non-root user, then internally set
unpriviliged mode set. Also add a notion of sandbox NONE and set
that internally in unprivileged mode. setting up namespaces and
chroot() fails in unpriviliged mode.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 tools/virtiofsd/passthrough_ll.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Dr. David Alan Gilbert Aug. 7, 2020, 4:33 p.m. UTC | #1 
* Vivek Goyal (vgoyal@redhat.com) wrote:
> At startup if we are running as non-root user, then internally set
> unpriviliged mode set. Also add a notion of sandbox NONE and set
> that internally in unprivileged mode. setting up namespaces and
> chroot() fails in unpriviliged mode.
> 
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> ---
>  tools/virtiofsd/passthrough_ll.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> index e2fbc614fd..cd91c4a831 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -147,11 +147,13 @@ enum {
>  enum {
>      SANDBOX_NAMESPACE,
>      SANDBOX_CHROOT,
> +    SANDBOX_NONE,
>  };
>  
>  struct lo_data {
>      pthread_mutex_t mutex;
>      int sandbox;
> +    bool unprivileged;
>      int debug;
>      int writeback;
>      int flock;
> @@ -3288,6 +3290,12 @@ int main(int argc, char *argv[])
>      lo_map_init(&lo.dirp_map);
>      lo_map_init(&lo.fd_map);
>  
> +    if (geteuid() != 0) {
> +       lo.unprivileged = true;
> +       lo.sandbox = SANDBOX_NONE;
> +       fuse_log(FUSE_LOG_DEBUG, "Running in unprivileged passthrough mode.\n");
> +    }

I don't like this being automatic; to switch to a less secure mode, the
user should have to explicitly ask for it; we don't want people
accidentally ending up with less security.

Also, I'm not sure that checking for geteuid() != 0  is the right test -
wouldn't the current virtiofsd run with a non-root user as long
as it had the correct capabilities?

I was doing to suggest we match cloud-hypervisor where we added
--disable-sandbox; but with this we now have a trinary switch;
so sandbox=none is probably the right way.

Dave

>      if (fuse_parse_cmdline(&args, &opts) != 0) {
>          goto err_out1;
>      }
> -- 
> 2.25.4
>
diff mbox series

Patch

diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index e2fbc614fd..cd91c4a831 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -147,11 +147,13 @@  enum {
 enum {
     SANDBOX_NAMESPACE,
     SANDBOX_CHROOT,
+    SANDBOX_NONE,
 };
 
 struct lo_data {
     pthread_mutex_t mutex;
     int sandbox;
+    bool unprivileged;
     int debug;
     int writeback;
     int flock;
@@ -3288,6 +3290,12 @@  int main(int argc, char *argv[])
     lo_map_init(&lo.dirp_map);
     lo_map_init(&lo.fd_map);
 
+    if (geteuid() != 0) {
+       lo.unprivileged = true;
+       lo.sandbox = SANDBOX_NONE;
+       fuse_log(FUSE_LOG_DEBUG, "Running in unprivileged passthrough mode.\n");
+    }
+
     if (fuse_parse_cmdline(&args, &opts) != 0) {
         goto err_out1;
     }