On Thu, 23 Feb 2017 16:05:02 +0100 Jann Horn <ja...@google.com> wrote:
> On Thu, Feb 23, 2017 at 4:02 PM, Eric Blake <ebl...@redhat.com> wrote: > > On 02/20/2017 08:40 AM, Greg Kurz wrote: > >> All operations dealing with extended attributes are vulnerable to symlink > >> attacks because they use path-based syscalls which can traverse symbolic > >> links while walking through the dirname part of the path. > >> > >> The solution is to introduce helpers based on opendir_nofollow(). This > >> calls for "at" versions of the extended attribute syscalls, which don't > >> exist unfortunately. This patch implement them by simulating the "at" > >> behavior with fchdir(). Since the current working directory is process > >> wide, and we don't want to confuse another thread in QEMU, all the work > >> is done in a separate process. > > > > Can you emulate *at using /proc/fd/nnn/xyz? > > I don't know much about QEMU internals, but QEMU supports running in a > chroot using the -chroot option, right? Does that already require procfs to be > mounted inside the chroot? Calling chroot() requires CAP_SYS_CHROOT and QEMU shouldn't rely on that to provide a secure and isolated environment to run VMs.
pgpTu57_GbB5T.pgp
Description: OpenPGP digital signature
