On Wed, Jul 22, 2020 at 08:03:18PM +0100, Dr. David Alan Gilbert wrote: > * Stefan Hajnoczi (stefa...@redhat.com) wrote: > > + /* > > + * Make the shared directory the file system root so that FUSE_OPEN > > + * (lo_open()) cannot escape the shared directory by opening a symlink. > > + * > > + * It's still possible to escape the chroot via lo->proc_self_fd but > > that > > + * requires gaining control of the process first. > > + */ > > + if (chroot(lo->source) != 0) { > > + fuse_log(FUSE_LOG_ERR, "chroot(\"%s\"): %m\n", lo->source); > > + exit(1); > > + } > > I'm seeing suggestions that you should drop CAP_SYS_CHROOT after > chroot'ing to stop an old escape (where you create another jail inside > the jail and the kernel then lets you walk outside of the old one).
That's already the case: 1. setup_seccomp() blocks further chroot(2) calls. 2. setup_capabilities() drops CAP_SYS_CHROOT. Stefan
signature.asc
Description: PGP signature