OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
06844584b6
qemu-e2k/docs
History
Stefan Hajnoczi 06844584b6 virtiofsd: add container-friendly -o sandbox=chroot option 
virtiofsd cannot run in a container because CAP_SYS_ADMIN is required to
create namespaces.

Introduce a weaker sandbox mode that is sufficient in container
environments because the container runtime already sets up namespaces.
Use chroot to restrict path traversal to the shared directory.

virtiofsd loses the following:

1. Mount namespace. The process chroots to the shared directory but
   leaves the mounts in place. Seccomp rejects mount(2)/umount(2)
   syscalls.

2. Pid namespace. This should be fine because virtiofsd is the only
   process running in the container.

3. Network namespace. This should be fine because seccomp already
   rejects the connect(2) syscall, but an additional layer of security
   is lost. Container runtime-specific network security policies can be
   used drop network traffic (except for the vhost-user UNIX domain
   socket).

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20201008085534.16070-1-stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2020-10-26 18:35:32 +00:00
..
config
devel fuzz: Add instructions for using generic-fuzz 2020-10-26 09:53:53 +01:00
interop qcow2: introduce icount field for snapshots 2020-10-06 08:34:49 +02:00
specs specs/ppc-spapr-numa: update with new NUMA support 2020-10-09 15:06:14 +11:00
sphinx docs: Fix Sphinx configuration for msys2/mingw 2020-10-17 10:45:52 -04:00
spin
system machine: remove deprecated -machine enforce-config-section option 2020-10-26 07:08:39 -04:00
tools virtiofsd: add container-friendly -o sandbox=chroot option 2020-10-26 18:35:32 +00:00
user
amd-memory-encryption.txt
barrier.txt
block-replication.txt
bootindex.txt
can.txt hw/net/can: Documentation for CTU CAN FD IP open hardware core emulation. 2020-09-30 19:11:37 +02:00
ccid.txt
COLO-FT.txt docs/: fix some comment spelling errors 2020-09-17 20:37:13 +02:00
colo-proxy.txt
conf.py docs: Fix Sphinx configuration for msys2/mingw 2020-10-17 10:45:52 -04:00
cpu-hotplug.rst
defs.rst.inc
generic-loader.txt
hyperv.txt i386/kvm: correct the meaning of '0xffffffff' value for hv-spinlocks 2020-09-18 13:49:54 -04:00
igd-assign.txt
image-fuzzer.txt
index.html.in docs/interop: Convert qemu-qmp-ref to rST 2020-09-29 17:55:39 +02:00
index.rst
memory-hotplug.txt
meson.build meson: Move the detection logic for sphinx to meson 2020-10-17 10:45:53 -04:00
microvm.rst
multi-thread-compression.txt
multiseat.txt
nvdimm.txt
pci_expander_bridge.txt
pcie_pci_bridge.txt
pcie.txt
pr-manager.rst
pvrdma.txt
qcow2-cache.txt
qdev-device-use.txt docs/qdev-device-use: Don't suggest -drive and -net can do USB 2020-09-03 09:58:39 +02:00
qemu_logo.pdf
qemu-option-trace.rst.inc
qemupciserial.inf
rdma.txt docs/: fix some comment spelling errors 2020-09-17 20:37:13 +02:00
replay.txt replay: describe reverse debugging in docs/replay.txt 2020-10-06 08:34:49 +02:00
spice-port-fqdn.txt
throttle.txt docs: Document the throttle block filter 2020-10-02 15:46:40 +02:00
u2f.txt
usb2.txt
usb-storage.txt
virtio-balloon-stats.txt
virtio-net-failover.rst
virtio-pmem.rst
xbzrle.txt
xen-save-devices-state.txt