Host File System Access #239
Assignees
Comments
bors bot
added a commit
that referenced
this issue
Nov 29, 2021
240: README: Add warning about host file sytem access r=mkroening a=Harry-R For details, see #239 Co-authored-by: Leonard Rapp <[email protected]>
|
You are right, we should describe a solution to avoid full filesystem access. In the future, runh is used to limit file system access. But here is also a description missing. |
|
Resolved with #783 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
uhyve grants full host file system access from within the unikernel with the permissions of the user running uhyve. Thus, a malicious or compromised unikernel (application) could compromise the host system.
As one of the advertised security aspects of unikernels is their strong isolation against the host system and other unikernels, this is nothing one would expect from a hypervisor designed for a unikernel.
One possible solution would be to allow access only to a certain shared folder of which the path can be passed to uhyve on startup.
However, until this is fixed (or if the full host file system access is considered a feature and not a bug) it should be properly documented in the README file.
The text was updated successfully, but these errors were encountered: