------- Comment From d.herrendoer...@de.ibm.com 2024-05-13 06:57 EDT------- This Bug is the result of the fix to: CVE-2023-2861: Prohibit opening any special file directly on host
I also opened a Bug in the qemu bugtracker https://gitlab.com/qemu-project/qemu/-/issues/2337 The containers fail because syslog cannot open its unix domain socket on the filesystem. We tracked the change that provokes this error to a CVE change in qemu that forbids opening of special files to prevent exposing data from the host. Special files should be handled by the guest os. Unix domain socket files are also special files, and they are handled by the guest OS in their entirety, and the 9p server in qemu assigns them individual inodes so they are safe to open. But they must be opened so their fd can be passed to the appropriate connect() or bind() function so the OS can use them. Socket files don't have a traditional read or write functionality, they are mere representatives for a local address. There is no convention for where domain socket files should go, so there is no easy fix by just creating a tmpfs somewhere. We also see other workloads and services failing for not being able to open their local socket files. The analysis of CVE-2023-2861 in detail reveals - opening of device files through the 9p server directly grants access to read/write functions of those device files. Also device files can be created in-place anywhere. - opening of FIFOs is somewhat unsafe as long as there are possible collisions that could expose host data using read/write. - opening of sockets is safe because the 9p server protects the revealed inode and provides no way to connect the file to a socket. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2861 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065579 Title: [UBUNTU 22.04] OS guest boot issues on 9p filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2065579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
