On Tue, Feb 28, 2017 at 08:50:55PM +0100, Uwe Sauter wrote: > Hi, > > I'd like to make you aware of a security flaw in virtfs [1] that was > published about 2 weeks ago. > > Might be worth while to get this into the coming update if this applies to > PVE. > > Regards, > > Uwe > > > [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1035&can=6&q=
thanks. We follow upstream's development pretty closely, and the multiple patch series attempting to fix this and related issues have been on our radar for a while ;) since it's not a feature that you can enable as non-root user, and even then, you need to manually add the required qemu commandline arguments yourself - I'd argue it is pretty much out of scope as far as regular security concerns from our side are concerned. similarly, you are able to disable disable app armor and capability dropping for containers (by manually adding the right LXC options to the container configuration), but if you do, you should be aware of the consequences. still, it is probably a good idea to re-enable support for virtfs after the last round of symlink fixes is ready for cherry-picking / backporting, which should be soonish. _______________________________________________ pve-user mailing list pve-user@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user