We are still awaiting a CVE number to be assigned, but Reco reported in Debian bug #732394 that a malicious guest could cause virDomainShutdown and virDomainReboot to cause the host to misbehave, if the host blindly follows symlinks in its own mount namespace instead of the guest's namespace. I have not yet tried to patch the bugs in virDomainDeviceAttach dereferencing /dev from the wrong namespace, which also suffers from the same vulnerability, but virProcessRunInMountNamespace should also be usable in that situation. While working on this series, I found several issues with virFork and virt-login-shell; since those are also related to correct namespace usage, I've bundled everything into one series; but the CVE is not fixed until patch 7/7 plus the future patch to /dev. I've done some pretty decent testing on the new virt-login-shell, but did not get as much testing on virDomainReboot. Since this series does address a CVE, and also regressions caused by our previous CVE fix in the same area of code (CVE-2013-4400 is unfortunately a poor example of shipping "fixes" without testing that the code still worked), I'd definitely appreciate a close review. Patch 6/7 is interesting: it uses virFork to use the mount namespace without impacting the parent process. However, since setns() is thread-safe, I wonder if it would be simpler to instead use pthread_create to do the callback within the same process instead of having to create a separate process, as that would make for easier coordination for passing the results back to the remaining threads that have not changed namespace. Thankfully, I think we came up with a good abstraction - I'm fairly confident that 6/7 could be rewritten to use pthread_create without changing the function signatures, in which case patch 7/7 would not need any changes to pick up the changed backend. Eric Blake (7): virt-login-shell: fix regressions in behavior virFork: simplify semantics virt-login-shell: use single instead of double fork virt-login-shell: saner exit value virsh: report exit status of failed lxc-enter-namespace lxc: add virProcessRunInMountNamespace lxc: security fix for virInitctlSetRunLevel src/internal.h | 7 +++ src/libvirt.c | 2 +- src/libvirt_private.syms | 1 + src/lxc/lxc_driver.c | 38 ++++++------ src/util/vircommand.c | 128 +++++++++++++++----------------------- src/util/vircommand.h | 2 +- src/util/virfile.c | 25 ++------ src/util/virinitctl.c | 28 ++++----- src/util/virinitctl.h | 5 +- src/util/virprocess.c | 81 ++++++++++++++++++++++-- src/util/virprocess.h | 11 ++++ tools/virsh-domain.c | 34 ++++++---- tools/virsh.pod | 3 +- tools/virt-login-shell.c | 151 ++++++++++++++++++++------------------------- tools/virt-login-shell.pod | 23 ++++++- 15 files changed, 299 insertions(+), 240 deletions(-) -- 1.8.4.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list