Hello,
* Recently I realised that virtiofsd(1) process does not drop its 'root'
privileges while sharing host directory tree with a guest VM.
Libvirtd(8) generally starts a guest VM with non-root system user (ex. qemu)
privileges. If virtiofsd(1) has 'root' privileges, that makes it an
accomplice in a potential guest-to-host privilege escalation scenario. Which
is not good.
* IMHO, ideally virtiofsd(1) should not run with 'root' privileges at all.
* But If it has to, then atleast all default configuration settings must be
utmost strict and restrictive as possible. Ex. By default offer only read
access to guest VM.
* Another option is for root virtiofsd(1) process to fork a sub-process which
will run with non-root (ex. qemu) system user privileges.
- All file I/O operations for sharing a host directory with a guest are
performed by the sub-process with non-root system user privileges.
- Sub-process shall talk to the parent virtiofsd(1) process only when
privileged operation/assistance is required.
Ex.
https://www.nginx.com/blog/inside-nginx-how-we-designed-for-performance-scale/
...wdyt?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
_______________________________________________
Virtio-fs mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/virtio-fs
