From: Vivek Goyal <vgoyal@redhat.com>
To: qemu-devel@nongnu.org
Cc: berrange@redhat.com, vromanso@redhat.com, dwalsh@redhat.com,
dgilbert@redhat.com, virtio-fs@redhat.com, stefanha@redhat.com,
vgoyal@redhat.com
Subject: [PATCH v2 3/5] virtiofsd: open /proc/self/fd/ in sandbox=NONE mode
Date: Thu, 30 Jul 2020 15:47:34 -0400 [thread overview]
Message-ID: <20200730194736.173994-4-vgoyal@redhat.com> (raw)
In-Reply-To: <20200730194736.173994-1-vgoyal@redhat.com>
We need /proc/self/fd descriptor even in sandbox=NONE mode.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
tools/virtiofsd/passthrough_ll.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index cd91c4a831..76ef891105 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -2969,6 +2969,15 @@ static void setup_capabilities(char *modcaps_in)
pthread_mutex_unlock(&cap.mutex);
}
+static void setup_none(struct lo_data *lo)
+{
+ lo->proc_self_fd = open("/proc/self/fd", O_PATH);
+ if (lo->proc_self_fd == -1) {
+ fuse_log(FUSE_LOG_ERR, "open(\"/proc/self/fd\", O_PATH): %m\n");
+ exit(1);
+ }
+}
+
/*
* Use chroot as a weaker sandbox for environments where the process is
* launched without CAP_SYS_ADMIN.
@@ -3014,8 +3023,10 @@ static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
if (lo->sandbox == SANDBOX_NAMESPACE) {
setup_namespaces(lo, se);
setup_mounts(lo->source);
- } else {
+ } else if (lo->sandbox == SANDBOX_CHROOT) {
setup_chroot(lo);
+ } else {
+ setup_none(lo);
}
setup_seccomp(enable_syslog);
--
2.25.4
next prev parent reply other threads:[~2020-07-30 19:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 19:47 [PATCH v2 0/5] virtiofsd: Add a unprivileged passthrough mode Vivek Goyal
2020-07-30 19:47 ` [PATCH v2 1/5] virtiofsd: Add notion of unprivileged mode Vivek Goyal
2020-08-07 16:33 ` Dr. David Alan Gilbert
2020-07-30 19:47 ` [PATCH v2 2/5] virtiofsd: create lock/pid file in per user cache dir Vivek Goyal
2020-08-07 17:34 ` Dr. David Alan Gilbert
2020-07-30 19:47 ` Vivek Goyal [this message]
2020-08-07 17:42 ` [PATCH v2 3/5] virtiofsd: open /proc/self/fd/ in sandbox=NONE mode Dr. David Alan Gilbert
2020-07-30 19:47 ` [PATCH v2 4/5] virtiofsd: Open lo->source while setting up root " Vivek Goyal
2020-08-03 9:54 ` Stefan Hajnoczi
2020-08-03 13:57 ` Vivek Goyal
2020-08-04 10:36 ` Stefan Hajnoczi
2020-07-30 19:47 ` [PATCH v2 5/5] virtiofsd: Skip setup_capabilities() " Vivek Goyal
2020-08-07 17:58 ` Dr. David Alan Gilbert
2020-08-03 9:45 ` [PATCH v2 0/5] virtiofsd: Add a unprivileged passthrough mode Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200730194736.173994-4-vgoyal@redhat.com \
--to=vgoyal@redhat.com \
--cc=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=dwalsh@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=virtio-fs@redhat.com \
--cc=vromanso@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).