Libvirt will put the pid file of virtiofsd to per-domain directory. However, the ownership of the per-domain directory is the user to run the QEMU process and the user has the write permission of the directory. If VM escape occurs, the attacker can 1. write arbitrary content to the pid file (if running QEMU using root), then the attacker can kill any process by writing appropriate pid to the pid file; 2. spoof the pid file (if running QEMU using a regular user), then the virtiofsd process will never be cleared even if the VM is destroyed. So, move the pid file of virtiofsd from per-domain directory to stateDir just like the pid file of the domain. Signed-off-by: Peng Liang <liangpeng10@xxxxxxxxxx> --- src/qemu/qemu_virtiofs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c index 08a8b4ed42a9..e617bb65fae0 100644 --- a/src/qemu/qemu_virtiofs.c +++ b/src/qemu/qemu_virtiofs.c @@ -44,11 +44,11 @@ qemuVirtioFSCreatePidFilename(virDomainObj *vm, const char *alias) { qemuDomainObjPrivate *priv = vm->privateData; - g_autofree char *name = NULL; + g_autofree char *domname = virDomainDefGetShortName(vm->def); + g_autofree char *name = g_strdup_printf("%s-%s-fs", domname, alias); + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver); - name = g_strdup_printf("%s-fs", alias); - - return virPidFileBuildPath(priv->libDir, name); + return virPidFileBuildPath(cfg->stateDir, name); } -- 2.31.1