> > That is the case if the proxy helper code is perfectly written. I am trying > to think about the scenario where there is a bug (eg heap corruption / > stack overflow) which allows a malicious non-root QEMU process to exploit > the proxy helper to run code that it was *not* intended to run. > > If the proxy helper is running root with all capabilities, then a bug in > the proxy helper can easily turn into a full root exploit. > > If the proxy helper starts as root, chroots, and then immediately drops to > a non-root user, keeping only the CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER > and CAP_DAC_READ_SEARCH capabilities, then a bug in the proxy helper can > only be used to access files within the designated 9pfs export. If the > exported directory does not contain any important host system files, then > it is unlikely it can be used to create a full root exploit. > Thanks Daniel, I will add 'capabiliies' to proxy helper. CAP_FOWNER capability also need. I am working on the patches. I will post them in few days. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list