|
 |
22c213 |
From 19a16f26bdeb6302159736e182a18b06160a3f42 Mon Sep 17 00:00:00 2001
|
|
|
22c213 |
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
|
|
|
22c213 |
Date: Mon, 27 Jan 2020 19:01:28 +0100
|
|
|
22c213 |
Subject: [PATCH 057/116] virtiofsd: move to an empty network namespace
|
|
|
22c213 |
MIME-Version: 1.0
|
|
|
22c213 |
Content-Type: text/plain; charset=UTF-8
|
|
|
22c213 |
Content-Transfer-Encoding: 8bit
|
|
|
22c213 |
|
|
|
22c213 |
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
22c213 |
Message-id: <20200127190227.40942-54-dgilbert@redhat.com>
|
|
|
22c213 |
Patchwork-id: 93508
|
|
|
22c213 |
O-Subject: [RHEL-AV-8.2 qemu-kvm PATCH 053/112] virtiofsd: move to an empty network namespace
|
|
|
22c213 |
Bugzilla: 1694164
|
|
|
22c213 |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
22c213 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
22c213 |
RH-Acked-by: Sergio Lopez Pascual <slp@redhat.com>
|
|
|
22c213 |
|
|
|
22c213 |
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
22c213 |
|
|
|
22c213 |
If the process is compromised there should be no network access. Use an
|
|
|
22c213 |
empty network namespace to sandbox networking.
|
|
|
22c213 |
|
|
|
22c213 |
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
22c213 |
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
22c213 |
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
22c213 |
(cherry picked from commit d74830d12ae233186ff74ddf64c552d26bb39e50)
|
|
|
22c213 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
22c213 |
---
|
|
|
22c213 |
tools/virtiofsd/passthrough_ll.c | 14 ++++++++++++++
|
|
|
22c213 |
1 file changed, 14 insertions(+)
|
|
|
22c213 |
|
|
|
22c213 |
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
|
|
|
22c213 |
index 0570453..27ab328 100644
|
|
|
22c213 |
--- a/tools/virtiofsd/passthrough_ll.c
|
|
|
22c213 |
+++ b/tools/virtiofsd/passthrough_ll.c
|
|
|
22c213 |
@@ -1944,6 +1944,19 @@ static void print_capabilities(void)
|
|
|
22c213 |
printf("}\n");
|
|
|
22c213 |
}
|
|
|
22c213 |
|
|
|
22c213 |
+/*
|
|
|
22c213 |
+ * Called after our UNIX domain sockets have been created, now we can move to
|
|
|
22c213 |
+ * an empty network namespace to prevent TCP/IP and other network activity in
|
|
|
22c213 |
+ * case this process is compromised.
|
|
|
22c213 |
+ */
|
|
|
22c213 |
+static void setup_net_namespace(void)
|
|
|
22c213 |
+{
|
|
|
22c213 |
+ if (unshare(CLONE_NEWNET) != 0) {
|
|
|
22c213 |
+ fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNET): %m\n");
|
|
|
22c213 |
+ exit(1);
|
|
|
22c213 |
+ }
|
|
|
22c213 |
+}
|
|
|
22c213 |
+
|
|
|
22c213 |
/* This magic is based on lxc's lxc_pivot_root() */
|
|
|
22c213 |
static void setup_pivot_root(const char *source)
|
|
|
22c213 |
{
|
|
|
22c213 |
@@ -2035,6 +2048,7 @@ static void setup_mount_namespace(const char *source)
|
|
|
22c213 |
*/
|
|
|
22c213 |
static void setup_sandbox(struct lo_data *lo)
|
|
|
22c213 |
{
|
|
|
22c213 |
+ setup_net_namespace();
|
|
|
22c213 |
setup_mount_namespace(lo->source);
|
|
|
22c213 |
}
|
|
|
22c213 |
|
|
|
22c213 |
--
|
|
|
22c213 |
1.8.3.1
|
|
|
22c213 |
|