qemu-kvm/SOURCES/kvm-virtiofsd-Whitelist-fchmod.patch

From 181ed1777c3dd50b1ff9907b0a4199e845af1270 Mon Sep 17 00:00:00 2001
From: Max Reitz <mreitz@redhat.com>
Date: Fri, 18 Jun 2021 16:21:17 -0400
Subject: [PATCH 1/4] virtiofsd: Whitelist fchmod
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Max Reitz <mreitz@redhat.com>
Message-id: <20210618162117.97775-2-mreitz@redhat.com>
Patchwork-id: 101719
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] virtiofsd: Whitelist fchmod
Bugzilla: 1967914
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Vivek Goyal <vgoyal@redhat.com>
RH-Acked-by: Connor Kuehl <ckuehl@redhat.com>

lo_setattr() invokes fchmod() in a rarely used code path, so it should
be whitelisted or virtiofsd will crash with EBADSYS.

Said code path can be triggered for example as follows:

On the host, in the shared directory, create a file with the sticky bit
set and a security.capability xattr:
(1) # touch foo
(2) # chmod u+s foo
(3) # setcap '' foo

Then in the guest let some process truncate that file after it has
dropped all of its capabilities (at least CAP_FSETID):

int main(int argc, char *argv[])
{
    capng_setpid(getpid());
    capng_clear(CAPNG_SELECT_BOTH);
    capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
    capng_apply(CAPNG_SELECT_BOTH);

    ftruncate(open(argv[1], O_RDWR), 0);
}

This will cause the guest kernel to drop the sticky bit (i.e. perform a
mode change) as part of the truncate (where FATTR_FH is set), and that
will cause virtiofsd to invoke fchmod() instead of fchmodat().

(A similar configuration exists further below with futimens() vs.
utimensat(), but the former is not a syscall but just a wrapper for the
latter, so no further whitelisting is required.)

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
Reported-by: Qian Cai <caiqian@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20200608093111.14942-1-mreitz@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 63659fe74e76f5c5285466f0c5cfbdca65b3688e)
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
 tools/virtiofsd/seccomp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
index bd9e7b083c..3b1522acdd 100644
--- a/tools/virtiofsd/seccomp.c
+++ b/tools/virtiofsd/seccomp.c
@@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
     SCMP_SYS(exit_group),
     SCMP_SYS(fallocate),
     SCMP_SYS(fchdir),
+    SCMP_SYS(fchmod),
     SCMP_SYS(fchmodat),
     SCMP_SYS(fchownat),
     SCMP_SYS(fcntl),
-- 
2.27.0
import qemu-kvm-4.2.0-59.module+el8.5.0+12817+cb650d43 2021-11-09 09:52:18 +00:00			`From 181ed1777c3dd50b1ff9907b0a4199e845af1270 Mon Sep 17 00:00:00 2001`
			`From: Max Reitz <mreitz@redhat.com>`
			`Date: Fri, 18 Jun 2021 16:21:17 -0400`
			`Subject: [PATCH 1/4] virtiofsd: Whitelist fchmod`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`RH-Author: Max Reitz <mreitz@redhat.com>`
			`Message-id: <20210618162117.97775-2-mreitz@redhat.com>`
			`Patchwork-id: 101719`
			`O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] virtiofsd: Whitelist fchmod`
			`Bugzilla: 1967914`
			`RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>`
			`RH-Acked-by: Vivek Goyal <vgoyal@redhat.com>`
			`RH-Acked-by: Connor Kuehl <ckuehl@redhat.com>`

			`lo_setattr() invokes fchmod() in a rarely used code path, so it should`
			`be whitelisted or virtiofsd will crash with EBADSYS.`

			`Said code path can be triggered for example as follows:`

			`On the host, in the shared directory, create a file with the sticky bit`
			`set and a security.capability xattr:`
			`(1) # touch foo`
			`(2) # chmod u+s foo`
			`(3) # setcap '' foo`

			`Then in the guest let some process truncate that file after it has`
			`dropped all of its capabilities (at least CAP_FSETID):`

			`int main(int argc, char *argv[])`
			`{`
			`capng_setpid(getpid());`
			`capng_clear(CAPNG_SELECT_BOTH);`
			`capng_updatev(CAPNG_ADD, CAPNG_PERMITTED \| CAPNG_EFFECTIVE, 0);`
			`capng_apply(CAPNG_SELECT_BOTH);`

			`ftruncate(open(argv[1], O_RDWR), 0);`
			`}`

			`This will cause the guest kernel to drop the sticky bit (i.e. perform a`
			`mode change) as part of the truncate (where FATTR_FH is set), and that`
			`will cause virtiofsd to invoke fchmod() instead of fchmodat().`

			`(A similar configuration exists further below with futimens() vs.`
			`utimensat(), but the former is not a syscall but just a wrapper for the`
			`latter, so no further whitelisting is required.)`

			`Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667`
			`Reported-by: Qian Cai <caiqian@redhat.com>`
			`Cc: qemu-stable@nongnu.org`
			`Signed-off-by: Max Reitz <mreitz@redhat.com>`
			`Message-Id: <20200608093111.14942-1-mreitz@redhat.com>`
			`Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>`
			`Reviewed-by: Vivek Goyal <vgoyal@redhat.com>`
			`Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>`
			`(cherry picked from commit 63659fe74e76f5c5285466f0c5cfbdca65b3688e)`
			`Signed-off-by: Max Reitz <mreitz@redhat.com>`
			`Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>`
			`---`
			`tools/virtiofsd/seccomp.c \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c`
			`index bd9e7b083c..3b1522acdd 100644`
			`--- a/tools/virtiofsd/seccomp.c`
			`+++ b/tools/virtiofsd/seccomp.c`
			`@@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {`
			`SCMP_SYS(exit_group),`
			`SCMP_SYS(fallocate),`
			`SCMP_SYS(fchdir),`
			`+ SCMP_SYS(fchmod),`
			`SCMP_SYS(fchmodat),`
			`SCMP_SYS(fchownat),`
			`SCMP_SYS(fcntl),`
			`--`
			`2.27.0`