virtiofsd: sandbox mount namespace - bwlp/qemu.git - Experimental fork of QEMU with video encoding patches

diff options

author	Stefan Hajnoczi	2019-03-12 16:51:38 +0100
committer	Dr. David Alan Gilbert	2020-01-23 17:41:36 +0100
commit	5baa3b8e95064c2434bd9e2f312edd5e9ae275dc (patch)
tree	4ee8509f3cbef95d26b0aea4c8d3131f8b28a09b /linux-user/linuxload.c
parent	virtiofsd: use /proc/self/fd/ O_PATH file descriptor (diff)
download	qemu-5baa3b8e95064c2434bd9e2f312edd5e9ae275dc.tar.gz qemu-5baa3b8e95064c2434bd9e2f312edd5e9ae275dc.tar.xz qemu-5baa3b8e95064c2434bd9e2f312edd5e9ae275dc.zip

virtiofsd: sandbox mount namespace

Use a mount namespace with the shared directory tree mounted at "/" and no other mounts. This prevents symlink escape attacks because symlink targets are resolved only against the shared directory and cannot go outside it. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Diffstat (limited to 'linux-user/linuxload.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: