virtiofsd: move to a new pid namespace - bwlp/qemu.git - Experimental fork of QEMU with video encoding patches

diff options

author	Stefan Hajnoczi	2019-10-16 18:01:57 +0200
committer	Dr. David Alan Gilbert	2020-01-23 17:41:37 +0100
commit	8e1d4ef231d8327be219f7aea7aa15d181375bbc (patch)
tree	3361c5f2094568140579a7941fccbd78468edaf0 /linux-user/socket.h
parent	virtiofsd: move to an empty network namespace (diff)
download	qemu-8e1d4ef231d8327be219f7aea7aa15d181375bbc.tar.gz qemu-8e1d4ef231d8327be219f7aea7aa15d181375bbc.tar.xz qemu-8e1d4ef231d8327be219f7aea7aa15d181375bbc.zip

virtiofsd: move to a new pid namespace

virtiofsd needs access to /proc/self/fd. Let's move to a new pid namespace so that a compromised process cannot see another other processes running on the system. One wrinkle in this approach: unshare(CLONE_NEWPID) affects *child* processes and not the current process. Therefore we need to fork the pid 1 process that will actually run virtiofsd and leave a parent in waitpid(2). This is not the same thing as daemonization and parent processes should not notice a difference. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Diffstat (limited to 'linux-user/socket.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: