From 19a16f26bdeb6302159736e182a18b06160a3f42 Mon Sep 17 00:00:00 2001 From: "Dr. David Alan Gilbert" Date: Mon, 27 Jan 2020 19:01:28 +0100 Subject: [PATCH 057/116] virtiofsd: move to an empty network namespace MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Dr. David Alan Gilbert Message-id: <20200127190227.40942-54-dgilbert@redhat.com> Patchwork-id: 93508 O-Subject: [RHEL-AV-8.2 qemu-kvm PATCH 053/112] virtiofsd: move to an empty network namespace Bugzilla: 1694164 RH-Acked-by: Philippe Mathieu-Daudé RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Sergio Lopez Pascual From: Stefan Hajnoczi If the process is compromised there should be no network access. Use an empty network namespace to sandbox networking. Signed-off-by: Stefan Hajnoczi Reviewed-by: Daniel P. Berrangé Signed-off-by: Dr. David Alan Gilbert (cherry picked from commit d74830d12ae233186ff74ddf64c552d26bb39e50) Signed-off-by: Miroslav Rezanina --- tools/virtiofsd/passthrough_ll.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c index 0570453..27ab328 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -1944,6 +1944,19 @@ static void print_capabilities(void) printf("}\n"); } +/* + * Called after our UNIX domain sockets have been created, now we can move to + * an empty network namespace to prevent TCP/IP and other network activity in + * case this process is compromised. + */ +static void setup_net_namespace(void) +{ + if (unshare(CLONE_NEWNET) != 0) { + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNET): %m\n"); + exit(1); + } +} + /* This magic is based on lxc's lxc_pivot_root() */ static void setup_pivot_root(const char *source) { @@ -2035,6 +2048,7 @@ static void setup_mount_namespace(const char *source) */ static void setup_sandbox(struct lo_data *lo) { + setup_net_namespace(); setup_mount_namespace(lo->source); } -- 1.8.3.1