git.proxmox.com Git - mirror

author	Daniel P. Berrangé <berrange@redhat.com>
	Fri, 11 Jun 2021 12:04:27 +0000 (13:04 +0100)
committer	Dr. David Alan Gilbert <dgilbert@redhat.com>
	Mon, 5 Jul 2021 09:51:26 +0000 (10:51 +0100)
commit	3399bca4514b5c8d513a88fa3e472756468cb4c6
tree	4e62114eddcb80c531df054fbb208165aac11951	tree
parent	d9a801f7e9fd18ce96a0bfff73b785f0a1f8e6a8	commit \| diff

docs: describe the security considerations with virtiofsd xattr mapping

Different guest xattr prefixes have distinct access control rules applied
by the guest. When remapping a guest xattr care must be taken that the
remapping does not allow the a guest user to bypass guest kernel access
control rules.

For example if 'trusted.*' which requires CAP_SYS_ADMIN is remapped
to 'user.virtiofs.trusted.*', an unprivileged guest user which can
write to 'user.*' can bypass the CAP_SYS_ADMIN control. Thus the
target of any remapping must be explicitly blocked from read/writes
by the guest, to prevent access control bypass.

The examples shown in the virtiofsd man page already do the right
thing and ensure safety, but the security implications of getting
this wrong were not made explicit. This could lead to host admins
and apps unwittingly creating insecure configurations.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20210611120427.49736-1-berrange@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>