| commit | 5baa3b8e95064c2434bd9e2f312edd5e9ae275dc | |
| author | Stefan Hajnoczi <stefanha@redhat.com> | |
| Tue, 12 Mar 2019 15:51:38 +0000 (12 15:51 +0000) | ||
| committer | Dr. David Alan Gilbert <dgilbert@redhat.com> | |
| Thu, 23 Jan 2020 16:41:36 +0000 (23 16:41 +0000) | ||
| tree | 4ee8509f3cbef95d26b0aea4c8d3131f8b28a09b | treesnapshot (tar.gz zip) |
| parent | 9f59d175e2ca96f0b87f534dba69ea547dd35945 | commitdiff |
virtiofsd: sandbox mount namespace
Use a mount namespace with the shared directory tree mounted at "/" and
no other mounts.
This prevents symlink escape attacks because symlink targets are
resolved only against the shared directory and cannot go outside it.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Use a mount namespace with the shared directory tree mounted at "/" and
no other mounts.
This prevents symlink escape attacks because symlink targets are
resolved only against the shared directory and cannot go outside it.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
| tools/virtiofsd/passthrough_ll.c | diffblobblamehistory |