Comment 2 for bug 1552042

I haven't replicated, but this looks like a real bug to me. As Garth says, though, it only affects systems without libguestfs. Note that if libguestfs is installed but not working this will give an error rather than falling back to being vulnerable. This would mean, for example, that no version of OpenStack shipped by Red Hat is affected, as libguestfs is a dependency of Nova compute in our packaging.

The impact is that you can use the inject files capability to write to arbitrary block/character devices on the compute host.

I believe mounting with nodev would fix the problem. It also might be a good idea if append_file, replace_file, and read_file checked that their targets were regular files before returning data.

More generally, I don't think that the design of VFSLocalFS is a good idea. With VFSLocalFS we're essentially implementing our own in-house containerisation. This domain is fraught with security holes even in projects which are entirely devoted to it. We're unlikely to do a good job over time in a backwater bit of Nova on a fallback path. Lets leverage another project. We could even engage the libguestfs project to support other backends more directly if that was considered important. It's also worth noting that libguestfs is usable today on systems without kvm, and given that our usage is essentially exclusively io, the lack of hardware-accelerated virt shouldn't be a big deal.