| commit | e586edcb410543768ef009eaa22a2d9dd4a53846 | |
| author | Dr. David Alan Gilbert <dgilbert@redhat.com> | |
| Wed, 24 Feb 2021 19:56:25 +0000 (24 19:56 +0000) | ||
| committer | Dr. David Alan Gilbert <dgilbert@redhat.com> | |
| Thu, 4 Mar 2021 10:26:16 +0000 (4 10:26 +0000) | ||
| tree | 634df5a450305c9646de14a0fe22fc6b2760806a | treesnapshot (tar.gz zip) |
| parent | c40ae5a3ee387b13116948cbfe7824f03311db7e | commitdiff |
virtiofs: drop remapped security.capability xattr as needed
On Linux, the 'security.capability' xattr holds a set of
capabilities that can change when an executable is run, giving
a limited form of privilege escalation to those programs that
the writer of the file deemed worthy.
Any write causes the 'security.capability' xattr to be dropped,
stopping anyone from gaining privilege by modifying a blessed
file.
Fuse relies on the daemon to do this dropping, and in turn the
daemon relies on the host kernel to drop the xattr for it. However,
with the addition of -o xattrmap, the xattr that the guest
stores its capabilities in is now not the same as the one that
the host kernel automatically clears.
Where the mapping changes 'security.capability', explicitly clear
the remapped name to preserve the same behaviour.
This bug is assigned CVE-2021-20263.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
On Linux, the 'security.capability' xattr holds a set of
capabilities that can change when an executable is run, giving
a limited form of privilege escalation to those programs that
the writer of the file deemed worthy.
Any write causes the 'security.capability' xattr to be dropped,
stopping anyone from gaining privilege by modifying a blessed
file.
Fuse relies on the daemon to do this dropping, and in turn the
daemon relies on the host kernel to drop the xattr for it. However,
with the addition of -o xattrmap, the xattr that the guest
stores its capabilities in is now not the same as the one that
the host kernel automatically clears.
Where the mapping changes 'security.capability', explicitly clear
the remapped name to preserve the same behaviour.
This bug is assigned CVE-2021-20263.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
| docs/tools/virtiofsd.rst | diffblobblamehistory | |
| tools/virtiofsd/passthrough_ll.c | diffblobblamehistory |