Re: [Libguestfs] [PATCH] daemon: always provide stdin when running chroot commands (RHBZ#1280029)
On Tue, Dec 01, 2015 at 06:29:01PM +0100, Mateusz Guzik wrote:
CHROOT_OUT is mere chroot ("."), which suggests that that
cwd for
virt-builder is "/". This means anything using aforementioned construct
has to use absolute paths, otherwise it looks names up against the real
"/". For current code it would make sense to somewhow check if all
passed paths are absolute (if not by code inspection, one can try to
cook up a systemtap script to verify such behaviour in-between chroots).
As for a solution, forking off a process which chroots is definitely on
the right track. However, I would argue what's really needed here is the
following: at the start, a container is created, the child gets in. Execs,
file system operations, just about everything has to be a request sent
to the child over e.g. a unix socket, but pipes could work too.
I think you're hinting at a security issue, but I don't think there is
one in virt-builder, since firstly we trust the templates and the
command line (hence there is no "attacker" in the virt-builder
scenario), and secondly everything runs inside a virtual machine, so
this putative virt-builder attacker can only take over the appliance,
and would be stopped by the protections we place around the appliance
(sVirt and so on).
However it certainly is worth hardening the way we run commands. A
container approach has another advantage too: that any processes
started up by (eg) dnf/yum are "captured" in the container and can be
conveniently killed off when the command exits. This is in fact an
existing source of bugs (https://bugzilla.redhat.com/1195881).
Filesystems in the container would not be fully populated (see:
/dev/mem
& friends), but only have 'container-friendly' files.
That's definitely a lot of work and I'm not up to the task.
Right - patches welcome!
Regardless, commandvf vs chroot usage can be improved without said
significant work.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v