Re: Restricting automounting of uncommon filesystems?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 24, 2023 at 12:08:00PM -0400, Solomon Peachy wrote:
> On Mon, Jul 24, 2023 at 04:51:38PM +0100, Richard W.M. Jones wrote:
> > You don't actually need to do any of this if you're using libguestfs,
> > because the worst that can happen is the filesystem will pwn the
> > kernel inside the KVM appliance (which is just a userspace process, so
> > you can kill it).
> 
> But if that kernel is pwn3d, won't that still allow arbitrary data to be 
> passed out to the host?  (I confess to knowing very little about the 
> guts of libguestfs)

If the malicious filesystem managed to execute code in the appliance,
it would be able to feed custom data back to the host when the host
called APIs like 'guestfs_read_file' to read a file, but that's just
the same as a regular filesystem having files with data in them.

There are probably more complex multi-step exploits possible, but it's
still vastly safer than having your host kernel being rooted which is
instant game over.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux