From 25c7e1181ab80644f3bfa9dd9592210008f2ae40 Mon Sep 17 00:00:00 2001 From: Christophe de Dinechin Date: Tue, 7 Sep 2021 17:09:50 +0200 Subject: [PATCH] virtiofs: Create shared directory with 0700 mode, not 0750 A discussion on the Linux kernel mailing list [1] exposed that virtiofsd makes a core assumption that the file systems being shared are not accessible by any non-privileged user. We currently create the `shared` directory in the sandbox with the default `0750` permissions, which gives read and directory traversal access to the group. There is no real good reason for a non-root user to access the shared directory, and this is potentially dangerous. Fixes: #2589 [1]: https://lore.kernel.org/linux-fsdevel/YTI+k29AoeGdX13Q@redhat.com/ Signed-off-by: Christophe de Dinechin --- src/runtime/virtcontainers/kata_agent.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 7209f54be..698353a9e 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -68,6 +68,9 @@ const ( kernelParamDebugConsole = "agent.debug_console" kernelParamDebugConsoleVPort = "agent.debug_console_vport" kernelParamDebugConsoleVPortValue = "1026" + + // Restricted permission for shared directory managed by virtiofs + sharedDirMode = os.FileMode(0700) | os.ModeDir ) var ( @@ -516,7 +519,7 @@ func (k *kataAgent) setupSharedPath(ctx context.Context, sandbox *Sandbox) (err // create shared path structure sharePath := getSharePath(sandbox.id) mountPath := getMountPath(sandbox.id) - if err := os.MkdirAll(sharePath, DirMode); err != nil { + if err := os.MkdirAll(sharePath, sharedDirMode); err != nil { return err } if err := os.MkdirAll(mountPath, DirMode); err != nil {