Re: Restricting automounting of uncommon filesystems?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jul 24, 2023, at 7:47 AM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:
On Mon, Jul 24, 2023 at 10:08:50AM -0400, Demi Marie Obenour wrote:
I saw that libguestfs has a guestmount(1) tool, and I think this could be
a potential solution.  An exploit against the kernel FS driver would only
grant access to a KVM guest, and the QEMU process can be tightly sandboxed
by means such as seccomp and SELinux.

Right.  guestmount does however use an unholy combination of FUSE and
proxying requests through the KVM guest so this wouldn't be very fast :-/

OTOH it may be fine for the overwhelming majority of use cases, and the tradeoff of better hardened systems could also be worth it.

I’ve seen more than one implementation of “Run a Linux container on macOS” that ends up using ssh for the console and sshfs as the way to get data back and forth… and people seem to be fine with it.

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux