passthrough: Replace openat(2) with openat2(2)

German Maglionerequested to merge
ghm-virtio-fs/virtiofsd:feat-openat2 into main

Although it is not a sandboxing solution Using openat2(2) with RESOLVE_IN_ROOT and RESOLVE_NO_MAGICLINKS add a bit more security especially if running as non-root and no sandboxing option is available.

This was requested to be able to run inside an OpenShift unprivileged pod where "virtiofsd is already in a container". The OSP seccomp policy denies CLONE_NEWUSER and NO_NEW_PRIVILEGES is turn on by default.

This could be useful in combination with !136 (merged), related: #63 (closed)

Tested with pjdfstest with/without file handles and all sandboxing options. Also, tested with different mount points in the shared directory (bind, etc.).

Summary by Sourcery

Enable use of openat2 syscall for secure path resolution in the passthrough filesystem, falling back to openat when openat2 is unavailable

Enhancements:

  • Add OsFacts struct to detect availability of openat2 at runtime
  • Implement do_open_relative_to wrapper to invoke openat2 with RESOLVE_IN_ROOT and RESOLVE_NO_MAGICLINKS flags
  • Introduce open_relative_to method in PassthroughFs to conditionally use openat2 or openat for all file opens
  • Permit openat2 syscall in the seccomp policy
Edited by sourcery-ai

Merge request reports