[PVE-User] virtio-9p-pci is not a valid device model name, since yesterday

Fabian Gr├╝nbichler f.gruenbichler at proxmox.com
Wed Mar 1 08:28:11 CET 2017


On Tue, Feb 28, 2017 at 08:50:55PM +0100, Uwe Sauter wrote:
> Hi,
> 
> I'd like to make you aware of a security flaw in virtfs [1] that was published about 2 weeks ago.
> 
> Might be worth while to get this into the coming update if this applies to PVE.
> 
> Regards,
> 
> 	Uwe
> 
> 
> [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1035&can=6&q=

thanks. We follow upstream's development pretty closely, and the
multiple patch series attempting to fix this and related issues have
been on our radar for a while ;)

since it's not a feature that you can enable as non-root user, and even
then, you need to manually add the required qemu commandline arguments
yourself - I'd argue it is pretty much out of scope as far as regular
security concerns from our side are concerned. similarly, you are able
to disable disable app armor and capability dropping for containers (by
manually adding the right LXC options to the container configuration),
but if you do, you should be aware of the consequences.

still, it is probably a good idea to re-enable support for virtfs after
the last round of symlink fixes is ready for cherry-picking /
backporting, which should be soonish.



More information about the pve-user mailing list