aboutsummaryrefslogtreecommitdiff
path: root/os-posix.c
diff options
context:
space:
mode:
authorDaniel P. Berrangé <berrange@redhat.com>2021-06-11 13:04:27 +0100
committerDr. David Alan Gilbert <dgilbert@redhat.com>2021-07-05 10:51:26 +0100
commit3399bca4514b5c8d513a88fa3e472756468cb4c6 (patch)
tree4e62114eddcb80c531df054fbb208165aac11951 /os-posix.c
parentd9a801f7e9fd18ce96a0bfff73b785f0a1f8e6a8 (diff)
downloadqemu-3399bca4514b5c8d513a88fa3e472756468cb4c6.zip
qemu-3399bca4514b5c8d513a88fa3e472756468cb4c6.tar.gz
qemu-3399bca4514b5c8d513a88fa3e472756468cb4c6.tar.bz2
docs: describe the security considerations with virtiofsd xattr mapping
Different guest xattr prefixes have distinct access control rules applied by the guest. When remapping a guest xattr care must be taken that the remapping does not allow the a guest user to bypass guest kernel access control rules. For example if 'trusted.*' which requires CAP_SYS_ADMIN is remapped to 'user.virtiofs.trusted.*', an unprivileged guest user which can write to 'user.*' can bypass the CAP_SYS_ADMIN control. Thus the target of any remapping must be explicitly blocked from read/writes by the guest, to prevent access control bypass. The examples shown in the virtiofsd man page already do the right thing and ensure safety, but the security implications of getting this wrong were not made explicit. This could lead to host admins and apps unwittingly creating insecure configurations. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20210611120427.49736-1-berrange@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Diffstat (limited to 'os-posix.c')
0 files changed, 0 insertions, 0 deletions