diff options
| author | Daniel P. Berrangé <berrange@redhat.com> | 2021-06-11 13:04:27 +0100 |
|---|---|---|
| committer | Dr. David Alan Gilbert <dgilbert@redhat.com> | 2021-07-05 10:51:26 +0100 |
| commit | 3399bca4514b5c8d513a88fa3e472756468cb4c6 (patch) | |
| tree | 4e62114eddcb80c531df054fbb208165aac11951 /tools/virtiofsd | |
| parent | d9a801f7e9fd18ce96a0bfff73b785f0a1f8e6a8 (diff) | |
docs: describe the security considerations with virtiofsd xattr mapping
Different guest xattr prefixes have distinct access control rules applied
by the guest. When remapping a guest xattr care must be taken that the
remapping does not allow the a guest user to bypass guest kernel access
control rules.
For example if 'trusted.*' which requires CAP_SYS_ADMIN is remapped
to 'user.virtiofs.trusted.*', an unprivileged guest user which can
write to 'user.*' can bypass the CAP_SYS_ADMIN control. Thus the
target of any remapping must be explicitly blocked from read/writes
by the guest, to prevent access control bypass.
The examples shown in the virtiofsd man page already do the right
thing and ensure safety, but the security implications of getting
this wrong were not made explicit. This could lead to host admins
and apps unwittingly creating insecure configurations.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20210611120427.49736-1-berrange@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Diffstat (limited to 'tools/virtiofsd')
0 files changed, 0 insertions, 0 deletions