aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDr. David Alan Gilbert <dgilbert@redhat.com>2021-02-24 19:56:25 +0000
committerDr. David Alan Gilbert <dgilbert@redhat.com>2021-03-04 10:26:16 +0000
commite586edcb410543768ef009eaa22a2d9dd4a53846 (patch)
tree634df5a450305c9646de14a0fe22fc6b2760806a /docs
parentc40ae5a3ee387b13116948cbfe7824f03311db7e (diff)
downloadqemu-e586edcb410543768ef009eaa22a2d9dd4a53846.zip
qemu-e586edcb410543768ef009eaa22a2d9dd4a53846.tar.gz
qemu-e586edcb410543768ef009eaa22a2d9dd4a53846.tar.bz2
virtiofs: drop remapped security.capability xattr as needed
On Linux, the 'security.capability' xattr holds a set of capabilities that can change when an executable is run, giving a limited form of privilege escalation to those programs that the writer of the file deemed worthy. Any write causes the 'security.capability' xattr to be dropped, stopping anyone from gaining privilege by modifying a blessed file. Fuse relies on the daemon to do this dropping, and in turn the daemon relies on the host kernel to drop the xattr for it. However, with the addition of -o xattrmap, the xattr that the guest stores its capabilities in is now not the same as the one that the host kernel automatically clears. Where the mapping changes 'security.capability', explicitly clear the remapped name to preserve the same behaviour. This bug is assigned CVE-2021-20263. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/tools/virtiofsd.rst4
1 files changed, 4 insertions, 0 deletions
diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
index 866b7db..00554c7 100644
--- a/docs/tools/virtiofsd.rst
+++ b/docs/tools/virtiofsd.rst
@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
to the matched **key** (or all attributes if **key** is empty).
There may be at most one 'map' rule and it must be the last rule in the set.
+Note: When the 'security.capability' xattr is remapped, the daemon has to do
+extra work to remove it during many operations, which the host kernel normally
+does itself.
+
xattr-mapping Examples
----------------------