CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC disk hotplug
authorDaniel P. Berrange <berrange@redhat.com>
Thu, 30 Jan 2014 15:59:20 +0000 (15:59 +0000)
committerDaniel P. Berrange <berrange@redhat.com>
Tue, 18 Feb 2014 18:29:32 +0000 (18:29 +0000)
commite57058cfe827b1971ca0dee224ff273c9cad7756
treeef583fc3e417ec45b9d43c2d9ada7143bb7a4547
parente1e7e05376faf1ed471cb5c1d1e0415458f2af7d
CVE-2013-6456: Avoid unsafe use of /proc/$PID/root in LXC disk hotplug

Rewrite lxcDomainAttachDeviceDiskLive function to use the
virProcessRunInMountNamespace helper. This avoids risk of
a malicious guest replacing /dev with a absolute symlink,
tricking the driver into changing the host OS filesystem.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 4dd3a7d5bc44980135a1b11810ba9aeab42a4a59)

Conflicts:
src/lxc/lxc_driver.c: OOM + cgroups error reporting and
        remove usernamespace integration
src/lxc/lxc_driver.c