From c7ae38df696e4be432fd418c670dcea892b910a7 Mon Sep 17 00:00:00 2001

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

Date: Mon, 27 Jan 2020 19:01:27 +0100

Subject: [PATCH 056/116] virtiofsd: sandbox mount namespace

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>

Message-id: <20200127190227.40942-53-dgilbert@redhat.com>

Patchwork-id: 93504

O-Subject: [RHEL-AV-8.2 qemu-kvm PATCH 052/112] virtiofsd: sandbox mount namespace

Bugzilla: 1694164

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

RH-Acked-by: Sergio Lopez Pascual <slp@redhat.com>

From: Stefan Hajnoczi <stefanha@redhat.com>

Use a mount namespace with the shared directory tree mounted at "/" and

no other mounts.

This prevents symlink escape attacks because symlink targets are

resolved only against the shared directory and cannot go outside it.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

(cherry picked from commit 5baa3b8e95064c2434bd9e2f312edd5e9ae275dc)

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 tools/virtiofsd/passthrough_ll.c | 89 ++++++++++++++++++++++++++++++++++++++++

 1 file changed, 89 insertions(+)

diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c

index e2e2211..0570453 100644

--- a/tools/virtiofsd/passthrough_ll.c

+++ b/tools/virtiofsd/passthrough_ll.c

@@ -50,6 +50,7 @@

 #include <stdlib.h>

 #include <string.h>

 #include <sys/file.h>

+#include <sys/mount.h>

 #include <sys/syscall.h>

 #include <sys/xattr.h>

 #include <unistd.h>

@@ -1943,6 +1944,58 @@ static void print_capabilities(void)

     printf("}\n");

 }

+/* This magic is based on lxc's lxc_pivot_root() */

+static void setup_pivot_root(const char *source)

+{

+    int oldroot;

+    int newroot;

+

+    oldroot = open("/", O_DIRECTORY | O_RDONLY | O_CLOEXEC);

+    if (oldroot < 0) {

+        fuse_log(FUSE_LOG_ERR, "open(/): %m\n");

+        exit(1);

+    }

+

+    newroot = open(source, O_DIRECTORY | O_RDONLY | O_CLOEXEC);

+    if (newroot < 0) {

+        fuse_log(FUSE_LOG_ERR, "open(%s): %m\n", source);

+        exit(1);

+    }

+

+    if (fchdir(newroot) < 0) {

+        fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");

+        exit(1);

+    }

+

+    if (syscall(__NR_pivot_root, ".", ".") < 0) {

+        fuse_log(FUSE_LOG_ERR, "pivot_root(., .): %m\n");

+        exit(1);

+    }

+

+    if (fchdir(oldroot) < 0) {

+        fuse_log(FUSE_LOG_ERR, "fchdir(oldroot): %m\n");

+        exit(1);

+    }

+

+    if (mount("", ".", "", MS_SLAVE | MS_REC, NULL) < 0) {

+        fuse_log(FUSE_LOG_ERR, "mount(., MS_SLAVE | MS_REC): %m\n");

+        exit(1);

+    }

+

+    if (umount2(".", MNT_DETACH) < 0) {

+        fuse_log(FUSE_LOG_ERR, "umount2(., MNT_DETACH): %m\n");

+        exit(1);

+    }

+

+    if (fchdir(newroot) < 0) {

+        fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");

+        exit(1);

+    }

+

+    close(newroot);

+    close(oldroot);

+}

+

 static void setup_proc_self_fd(struct lo_data *lo)

 {

     lo->proc_self_fd = open("/proc/self/fd", O_PATH);

@@ -1952,6 +2005,39 @@ static void setup_proc_self_fd(struct lo_data *lo)

     }

 }

+/*

+ * Make the source directory our root so symlinks cannot escape and no other

+ * files are accessible.

+ */

+static void setup_mount_namespace(const char *source)

+{

+    if (unshare(CLONE_NEWNS) != 0) {

+        fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNS): %m\n");

+        exit(1);

+    }

+

+    if (mount(NULL, "/", NULL, MS_REC | MS_SLAVE, NULL) < 0) {

+        fuse_log(FUSE_LOG_ERR, "mount(/, MS_REC|MS_PRIVATE): %m\n");

+        exit(1);

+    }

+

+    if (mount(source, source, NULL, MS_BIND, NULL) < 0) {

+        fuse_log(FUSE_LOG_ERR, "mount(%s, %s, MS_BIND): %m\n", source, source);

+        exit(1);

+    }

+

+    setup_pivot_root(source);

+}

+

+/*

+ * Lock down this process to prevent access to other processes or files outside

+ * source directory.  This reduces the impact of arbitrary code execution bugs.

+ */

+static void setup_sandbox(struct lo_data *lo)

+{

+    setup_mount_namespace(lo->source);

+}

+

 int main(int argc, char *argv[])

 {

     struct fuse_args args = FUSE_ARGS_INIT(argc, argv);

@@ -2052,6 +2138,7 @@ int main(int argc, char *argv[])

     }

     lo.root.fd = open(lo.source, O_PATH);

+

     if (lo.root.fd == -1) {

         fuse_log(FUSE_LOG_ERR, "open(\"%s\", O_PATH): %m\n", lo.source);

         exit(1);

@@ -2075,6 +2162,8 @@ int main(int argc, char *argv[])

     /* Must be after daemonize to get the right /proc/self/fd */

     setup_proc_self_fd(&lo);

+    setup_sandbox(&lo);

+

     /* Block until ctrl+c or fusermount -u */

     ret = virtio_loop(se);

-- 

1.8.3.1