On Fri, 1 May 2020 at 20:16, Dr. David Alan Gilbert (git) <dgilb...@redhat.com> wrote: > > From: "Dr. David Alan Gilbert" <dgilb...@redhat.com> > > The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7: > > Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging > (2020-04-30 19:25:41 +0100) > > are available in the Git repository at: > > https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501 > > for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae: > > virtiofsd: drop all capabilities in the wait parent process (2020-05-01 > 20:05:37 +0100) > > ---------------------------------------------------------------- > virtiofsd: Pull 2020-05-01 (includes CVE fix) > > This set includes a security fix, other fixes and improvements. > > Security fix: > The security fix is for CVE-2020-10717 where, on low RAM hosts, > the guest can potentially exceed the maximum fd limit. > This fix adds some more configuration so that the user > can explicitly set the limit. > Thank you to Yuval Avrahami for reporting this. > > Fixes: > > Recursive mounting of the exported directory is now used in > the sandbox, such that if there was a mount underneath present at > the time the virtiofsd was started, that mount is also > visible to the guest; in the existing code, only mounts that > happened after startup were visible. > > Security improvements: > > The jailing for /proc/self/fd is improved - but it's something > that shouldn't be accessible anyway. > > Most capabilities are now dropped at startup; again this shouldn't > change any behaviour but is extra protection. > > ----------------------------------------------------------------
Applied, thanks. Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1 for any user-visible changes. I notice you didn't include the usual Cc: qemu-sta...@nongnu.org lines in the commits to be backported, but I think the stable branch maintainers can deal with the occasional manual notification. thanks -- PMM
