|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [qemu-xen stable-4.14] virtiofsd: Whitelist fchmod
commit 0aad2a52555643126970b2cb1bef37e7a2d5d7ac
Author: Max Reitz <mreitz@xxxxxxxxxx>
AuthorDate: Mon Jun 8 11:31:11 2020 +0200
Commit: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Wed Sep 2 19:06:19 2020 -0500
virtiofsd: Whitelist fchmod
lo_setattr() invokes fchmod() in a rarely used code path, so it should
be whitelisted or virtiofsd will crash with EBADSYS.
Said code path can be triggered for example as follows:
On the host, in the shared directory, create a file with the sticky bit
set and a security.capability xattr:
(1) # touch foo
(2) # chmod u+s foo
(3) # setcap '' foo
Then in the guest let some process truncate that file after it has
dropped all of its capabilities (at least CAP_FSETID):
int main(int argc, char *argv[])
{
capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
capng_apply(CAPNG_SELECT_BOTH);
ftruncate(open(argv[1], O_RDWR), 0);
}
This will cause the guest kernel to drop the sticky bit (i.e. perform a
mode change) as part of the truncate (where FATTR_FH is set), and that
will cause virtiofsd to invoke fchmod() instead of fchmodat().
(A similar configuration exists further below with futimens() vs.
utimensat(), but the former is not a syscall but just a wrapper for the
latter, so no further whitelisting is required.)
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
Reported-by: Qian Cai <caiqian@xxxxxxxxxx>
Cc: qemu-stable@xxxxxxxxxx
Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
Message-Id: <20200608093111.14942-1-mreitz@xxxxxxxxxx>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
Reviewed-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
(cherry picked from commit 63659fe74e76f5c5285466f0c5cfbdca65b3688e)
Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
tools/virtiofsd/seccomp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
index bd9e7b083c..3b1522acdd 100644
--- a/tools/virtiofsd/seccomp.c
+++ b/tools/virtiofsd/seccomp.c
@@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
SCMP_SYS(exit_group),
SCMP_SYS(fallocate),
SCMP_SYS(fchdir),
+ SCMP_SYS(fchmod),
SCMP_SYS(fchmodat),
SCMP_SYS(fchownat),
SCMP_SYS(fcntl),
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.14
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |