Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Host File System Access #239

Closed
Harry-R opened this issue Nov 29, 2021 · 2 comments
Closed

Host File System Access #239

Harry-R opened this issue Nov 29, 2021 · 2 comments
Assignees
@n0toose

Comments

@Harry-R
Copy link
Contributor

Harry-R commented Nov 29, 2021
edited
Loading

uhyve grants full host file system access from within the unikernel with the permissions of the user running uhyve. Thus, a malicious or compromised unikernel (application) could compromise the host system.
As one of the advertised security aspects of unikernels is their strong isolation against the host system and other unikernels, this is nothing one would expect from a hypervisor designed for a unikernel.
One possible solution would be to allow access only to a certain shared folder of which the path can be passed to uhyve on startup.
However, until this is fixed (or if the full host file system access is considered a feature and not a bug) it should be properly documented in the README file.
@Harry-R Harry-R mentioned this issue Nov 29, 2021
Merged
bors bot added a commit that referenced this issue Nov 29, 2021
@bors @Harry-R
Merge #240
80c3af5 
240: README: Add warning about host file sytem access r=mkroening a=Harry-R

For details, see #239 

Co-authored-by: Leonard Rapp <leonard.rapp@rwth-aachen.de>
@stlankes
Copy link
Collaborator

stlankes commented May 2, 2022

You are right, we should describe a solution to avoid full filesystem access. In the future, runh is used to limit file system access. But here is also a description missing.

This was referenced Sep 27, 2024
Open
Closed
Open
@n0toose n0toose mentioned this issue Nov 27, 2024
Merged
@n0toose n0toose self-assigned this Dec 1, 2024
@jounathaen
Copy link
Member

jounathaen commented Feb 13, 2025
edited
Loading

Resolved with #783

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@n0toose n0toose

Labels
None yet
Projects
Improving the security behavior
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stlankes @Harry-R @jounathaen @n0toose