If the process is compromised there should be no network access. Use an empty network namespace to sandbox networking.
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com> --- contrib/virtiofsd/passthrough_ll.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthrough_ll.c index 84b60d85bd..c27ff7d800 100644 --- a/contrib/virtiofsd/passthrough_ll.c +++ b/contrib/virtiofsd/passthrough_ll.c @@ -2736,6 +2736,19 @@ static void setup_shared_versions(struct lo_data *lo) lo->version_table = addr; } +/* + * Called after our UNIX domain sockets have been created, now we can move to + * an empty network namespace to prevent TCP/IP and other network activity in + * case this process is compromised. + */ +static void setup_net_namespace(void) +{ + if (unshare(CLONE_NEWNET) != 0) { + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNET): %m\n"); + exit(1); + } +} + /* This magic is based on lxc's lxc_pivot_root() */ static void setup_pivot_root(const char *source) { @@ -2818,6 +2831,7 @@ static void setup_mount_namespace(const char *source) */ static void setup_sandbox(struct lo_data *lo, bool enable_syslog) { + setup_net_namespace(); setup_mount_namespace(lo->source); setup_seccomp(enable_syslog); } -- 2.21.0