Rewrite multiple hotunplug functions to to use the
virProcessRunInMountNamespace helper. This avoids
risk of a malicious guest replacing /dev with a absolute
symlink, tricking the driver into changing the host OS
filesystem.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/lxc/lxc_driver.c | 79 ++++++++++++++++++++++++++--------------------------
1 file changed, 39 insertions(+), 40 deletions(-)
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 987196b..53db957 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -3774,6 +3774,39 @@ lxcDomainAttachDeviceMknod(virLXCDriverPtr driver,
static int
+lxcDomainAttachDeviceUnlinkHelper(pid_t pid ATTRIBUTE_UNUSED,
+ void *opaque)
+{
+ const char *path = opaque;
+
+ VIR_DEBUG("Unlinking %s", path);
+ if (unlink(path) < 0 && errno != ENOENT) {
+ virReportSystemError(errno,
+ _("Unable to remove device %s"), path);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
+lxcDomainAttachDeviceUnlink(virDomainObjPtr vm,
+ char *file)
+{
+ virLXCDomainObjPrivatePtr priv = vm->privateData;
+
+ if (virProcessRunInMountNamespace(priv->initpid,
+ lxcDomainAttachDeviceUnlinkHelper,
+ file) < 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
lxcDomainAttachDeviceDiskLive(virLXCDriverPtr driver,
virDomainObjPtr vm,
virDomainDeviceDefPtr dev)
@@ -4364,8 +4397,7 @@ lxcDomainDetachDeviceDiskLive(virDomainObjPtr vm,
def = vm->def->disks[idx];
- if (virAsprintf(&dst, "/proc/%llu/root/dev/%s",
- (unsigned long long)priv->initpid, def->dst) < 0)
+ if (virAsprintf(&dst, "/dev/%s", def->dst) < 0)
goto cleanup;
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
@@ -4374,11 +4406,8 @@ lxcDomainDetachDeviceDiskLive(virDomainObjPtr vm,
goto cleanup;
}
- VIR_DEBUG("Unlinking %s (backed by %s)", dst, def->src);
- if (unlink(dst) < 0 && errno != ENOENT) {
+ if (lxcDomainAttachDeviceUnlink(vm, dst) < 0) {
virDomainAuditDisk(vm, def->src, NULL, "detach", false);
- virReportSystemError(errno,
- _("Unable to remove device %s"), dst);
goto cleanup;
}
virDomainAuditDisk(vm, def->src, NULL, "detach", true);
@@ -4473,7 +4502,6 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
virDomainHostdevDefPtr def = NULL;
int idx, ret = -1;
char *dst = NULL;
- char *vroot = NULL;
virUSBDevicePtr usb = NULL;
if ((idx = virDomainHostdevFind(vm->def,
@@ -4484,12 +4512,7 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
goto cleanup;
}
- if (virAsprintf(&vroot, "/proc/%llu/root",
- (unsigned long long)priv->initpid) < 0)
- goto cleanup;
-
- if (virAsprintf(&dst, "%s/dev/bus/usb/%03d/%03d",
- vroot,
+ if (virAsprintf(&dst, "/dev/bus/usb/%03d/%03d",
def->source.subsys.u.usb.bus,
def->source.subsys.u.usb.device) < 0)
goto cleanup;
@@ -4504,11 +4527,8 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
def->source.subsys.u.usb.device, NULL)))
goto cleanup;
- VIR_DEBUG("Unlinking %s", dst);
- if (unlink(dst) < 0 && errno != ENOENT) {
+ if (lxcDomainAttachDeviceUnlink(vm, dst) < 0) {
virDomainAuditHostdev(vm, def, "detach", false);
- virReportSystemError(errno,
- _("Unable to remove device %s"), dst);
goto cleanup;
}
virDomainAuditHostdev(vm, def, "detach", true);
@@ -4531,7 +4551,6 @@ lxcDomainDetachDeviceHostdevUSBLive(virLXCDriverPtr driver,
cleanup:
virUSBDeviceFree(usb);
VIR_FREE(dst);
- VIR_FREE(vroot);
return ret;
}
@@ -4543,7 +4562,6 @@ lxcDomainDetachDeviceHostdevStorageLive(virDomainObjPtr vm,
virLXCDomainObjPrivatePtr priv = vm->privateData;
virDomainHostdevDefPtr def = NULL;
int idx, ret = -1;
- char *dst = NULL;
if (!priv->initpid) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
@@ -4560,22 +4578,14 @@ lxcDomainDetachDeviceHostdevStorageLive(virDomainObjPtr vm,
goto cleanup;
}
- if (virAsprintf(&dst, "/proc/%llu/root/%s",
- (unsigned long long)priv->initpid,
- def->source.caps.u.storage.block) < 0)
- goto cleanup;
-
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
_("devices cgroup isn't mounted"));
goto cleanup;
}
- VIR_DEBUG("Unlinking %s", dst);
- if (unlink(dst) < 0 && errno != ENOENT) {
+ if (lxcDomainAttachDeviceUnlink(vm, def->source.caps.u.storage.block) < 0) {
virDomainAuditHostdev(vm, def, "detach", false);
- virReportSystemError(errno,
- _("Unable to remove device %s"), dst);
goto cleanup;
}
virDomainAuditHostdev(vm, def, "detach", true);
@@ -4590,7 +4600,6 @@ lxcDomainDetachDeviceHostdevStorageLive(virDomainObjPtr vm,
ret = 0;
cleanup:
- VIR_FREE(dst);
return ret;
}
@@ -4602,7 +4611,6 @@ lxcDomainDetachDeviceHostdevMiscLive(virDomainObjPtr vm,
virLXCDomainObjPrivatePtr priv = vm->privateData;
virDomainHostdevDefPtr def = NULL;
int idx, ret = -1;
- char *dst = NULL;
if (!priv->initpid) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
@@ -4619,22 +4627,14 @@ lxcDomainDetachDeviceHostdevMiscLive(virDomainObjPtr vm,
goto cleanup;
}
- if (virAsprintf(&dst, "/proc/%llu/root/%s",
- (unsigned long long)priv->initpid,
- def->source.caps.u.misc.chardev) < 0)
- goto cleanup;
-
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
_("devices cgroup isn't mounted"));
goto cleanup;
}
- VIR_DEBUG("Unlinking %s", dst);
- if (unlink(dst) < 0 && errno != ENOENT) {
+ if (lxcDomainAttachDeviceUnlink(vm, def->source.caps.u.misc.chardev) < 0) {
virDomainAuditHostdev(vm, def, "detach", false);
- virReportSystemError(errno,
- _("Unable to remove device %s"), dst);
goto cleanup;
}
virDomainAuditHostdev(vm, def, "detach", true);
@@ -4649,7 +4649,6 @@ lxcDomainDetachDeviceHostdevMiscLive(virDomainObjPtr vm,
ret = 0;
cleanup:
- VIR_FREE(dst);
return ret;
}
--
1.8.5.3
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list