fix(security): enforce read-only virtiofs at hypervisor level#454
Merged
Conversation
…6ww-w5j2-r7x3) Addresses a critical vulnerability where read-only volume mounts could be bypassed by malicious guest code via `mount -o remount,rw` due to three compounding flaws: 1. **Hypervisor enforcement** — Upgrade vendored libkrun to v1.18.0 which provides `krun_add_virtiofs3()` with a `read_only` parameter. The `VolumeSpec.read_only` flag is now enforced at the device level by the hypervisor, not just as a guest-side mount option. 2. **Capability restriction** — Replace the all-41-capabilities grant with Docker's default capability set (14 capabilities). This drops `CAP_SYS_ADMIN`, `CAP_NET_ADMIN`, `CAP_SYS_MODULE`, `CAP_BPF`, and other dangerous capabilities, preventing `remount` attacks entirely. 3. **TSI network isolation** — When `disable_network` is set, replace the implicit vsock device (which enables TSI socket hijacking) with an explicit vsock using `TsiFeatures::None`, preventing guest processes from routing outbound sockets through the host. Additional changes: - Upgrade vendored libkrunfw to v5.3.0 (kernel 6.12.76) - Update prebuilt download URLs and SHA256 checksums - Version cache paths to prevent stale artifact reuse across upgrades - Remove deprecated `krun_disable_tsi` FFI binding - Refactor build.rs init binary compilation (now handled by libkrun's devices/build.rs via CC_LINUX env var)
…fixes Cover all three security layers: TsiFeatures bitmask correctness, Docker-default capability set enforcement, and hypervisor-level read-only virtiofs with TSI isolation when network is disabled.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes GHSA-g6ww-w5j2-r7x3 (CVSS 10.0) — read-only virtiofs volume mounts could be bypassed by malicious guest code.
Three-layer fix:
krun_add_virtiofs3(libkrun v1.18.0) which enforces read-only at the virtio-fs device level, before requests reach the guest kernelCAP_SYS_ADMIN) with Docker-default set (14 caps), preventing guests from remounting filesystems read-writeNetworkSpec::Disabled, explicitly disable implicit vsock and add vsock with zero TSI features, preventing guest network escape via AF_INET/AF_UNIX socket forwardingDependency upgrades:
Test plan
cargo test -p boxlite --features krun,gvproxy