[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/6] Pygrub security enhancements and bugfixes



A few extra bugfixes and security enhancements for pygrub.

The biggest security enhacement is the removal of filesystem permissions
from the depriv thread of pygrub. This is possible on newer versions of
e2fsprogs, as it has an interface to consume file descriptors rather than
file paths.

Bug fixes
=========

Patch 1: Properly confines the mount namespace in Linux systems and
         corrects an incorrect statement about older Linux kernels being
         buggy with them. With this patch, mounts done inside the namespace
         disappear altogether after the last process is killed.
Patch 2: Fixes a bug preventing setting the LIMIT_FSIZE override

Security enhancements
=====================

Patch 3: Limits the amount of memory pygrub can chew
Patch 4: Tweaks libfsimage to support a new interface ( fdopen() ) which
         allows passing file descriptors rather than paths
Patch 5: Modifies the python bindings to grant access to the new interface
Patch 6: Modifies pygrub to open every required file before depriv.

Alejandro Vallejo (6):
  tools/pygrub: Set mount propagation to private recursively
  tools/pygrub: Fix bug in LIMIT_FSIZE env variable override
  tools/pygrub: Restrict depriv operation with RLIMIT_AS
  tools/libfsimage: Add an fdopen() interface to libfsimage
  tools/pygrub: Expose libfsimage's fdopen() to python
  tools/pygrub: Hook libfsimage's fdopen() to pygrub

 docs/man/xl.cfg.5.pod.in                    |   6 +-
 tools/libfsimage/common/fsimage.c           |  42 ++++++--
 tools/libfsimage/common/fsimage_grub.c      |   2 +-
 tools/libfsimage/common/fsimage_plugin.c    |   4 +-
 tools/libfsimage/common/fsimage_priv.h      |   3 +-
 tools/libfsimage/common/mapfile-GNU         |   2 +
 tools/libfsimage/common/mapfile-SunOS       |   2 +
 tools/libfsimage/common/xenfsimage.h        |   3 +
 tools/libfsimage/common/xenfsimage_plugin.h |   2 +-
 tools/libfsimage/ext2fs-lib/ext2fs-lib.c    |  14 ++-
 tools/pygrub/src/ExtLinuxConf.py            |  20 ++--
 tools/pygrub/src/GrubConf.py                |  29 ++---
 tools/pygrub/src/LiloConf.py                |  20 ++--
 tools/pygrub/src/fsimage/fsimage.c          |  33 ++++++
 tools/pygrub/src/pygrub                     | 113 +++++++-------------
 15 files changed, 173 insertions(+), 122 deletions(-)

-- 
2.34.1




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.