Container runtimes handle namespace setup and remove privileges needed by virtiofsd to perform sandboxing. Luckily the container environment already provides most of the sandbox that virtiofsd needs for security.
Introduce a new "virtiofsd -o chroot" option that uses chroot(2) instead of namespaces. This option allows virtiofsd to work inside a container. Please see the individual patches for details on the changes and security implications. Given that people are starting to attempt running virtiofsd in containers I think this should go into QEMU 5.1. Stefan Hajnoczi (3): virtiofsd: drop CAP_DAC_READ_SEARCH virtiofsd: add container-friendly -o chroot sandboxing option virtiofsd: probe unshare(CLONE_FS) and print an error tools/virtiofsd/fuse_virtio.c | 13 +++++++++ tools/virtiofsd/helper.c | 3 +++ tools/virtiofsd/passthrough_ll.c | 45 +++++++++++++++++++++++++++++--- 3 files changed, 58 insertions(+), 3 deletions(-) -- 2.26.2 _______________________________________________ Virtio-fs mailing list [email protected] https://www.redhat.com/mailman/listinfo/virtio-fs
