All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Daniel P. Berrange" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Eduardo Otubo <eduardo.otubo@profitbricks.com>,
	qemu-devel@nongnu.org, thuth@redhat.com
Subject: Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line
Date: Tue, 14 Mar 2017 11:52:53 +0000	[thread overview]
Message-ID: <20170314115253.GL2652@redhat.com> (raw)
In-Reply-To: <e9b2bd2a-8409-7470-76bb-32f15fe6ce0e@redhat.com>

On Tue, Mar 14, 2017 at 12:47:10PM +0100, Paolo Bonzini wrote:
> 
> 
> On 14/03/2017 12:32, Eduardo Otubo wrote:
> > This patch introduces the new argument [,elevateprivileges=deny] to the
> > `-sandbox on'. It avoids Qemu process to elevate its privileges by
> > blacklisting all set*uid|gid system calls
> > 
> > Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> > ---
> >  include/sysemu/seccomp.h |  1 +
> >  qemu-options.hx          |  8 ++++++--
> >  qemu-seccomp.c           | 28 ++++++++++++++++++++++++++++
> >  vl.c                     | 11 +++++++++++
> >  4 files changed, 46 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
> > index 7a7bde246b..e6e78d85ce 100644
> > --- a/include/sysemu/seccomp.h
> > +++ b/include/sysemu/seccomp.h
> > @@ -16,6 +16,7 @@
> >  #define QEMU_SECCOMP_H
> >  
> >  #define OBSOLETE    0x0001
> > +#define PRIVILEGED  0x0010
> >  
> >  #include <seccomp.h>
> >  
> > diff --git a/qemu-options.hx b/qemu-options.hx
> > index 1403d0c85f..47018db5aa 100644
> > --- a/qemu-options.hx
> > +++ b/qemu-options.hx
> > @@ -3732,8 +3732,10 @@ Old param mode (ARM only).
> >  ETEXI
> >  
> >  DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
> > -    "-sandbox on[,obsolete=allow]  Enable seccomp mode 2 system call filter (default 'off').\n" \
> > -    "                              obsolete: Allow obsolete system calls",
> > +    "-sandbox on[,obsolete=allow][,elevateprivileges=deny]\n" \
> > +    "                               Enable seccomp mode 2 system call filter (default 'off').\n" \
> > +    "                               obsolete: Allow obsolete system calls\n" \
> > +    "                               elevateprivileges: avoids Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls",
> 
> Why allow these by default?

The goal is that '-sandbox on' should not break *any* QEMU feature. It
needs to be a safe thing that people can unconditionally turn on without
thinking about it.  The QEMU bridge helper  requires setuid privs, hence
elevated privileges needs to be permitted by default. Similarly I could
see the qemu ifup  scripts, or migrate 'exec' command wanting to elevate
privs via setuid binaries if QEMU was running unprivileged.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

  reply	other threads:[~2017-03-14 11:53 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-14 11:32 [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 2/5] seccomp: add obsolete argument to command line Eduardo Otubo
2017-03-14 11:47   ` Paolo Bonzini
2017-03-14 12:01   ` Thomas Huth
2017-03-14 12:22     ` Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges " Eduardo Otubo
2017-03-14 11:47   ` Paolo Bonzini
2017-03-14 11:52     ` Daniel P. Berrange [this message]
2017-03-14 12:13       ` Paolo Bonzini
2017-03-14 12:24         ` Daniel P. Berrange
2017-03-14 12:42           ` Eduardo Otubo
2017-03-14 12:32         ` Eduardo Otubo
2017-03-14 12:48           ` Paolo Bonzini
2017-03-14 13:02             ` Daniel P. Berrange
2017-03-14 13:05               ` Paolo Bonzini
2017-03-14 13:19                 ` Daniel P. Berrange
2017-03-14 11:32 ` [Qemu-devel] [PATCH 4/5] seccomp: add spawn " Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 5/5] seccomp: add resourcecontrol " Eduardo Otubo
2017-03-14 11:40 ` [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring no-reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170314115253.GL2652@redhat.com \
    --to=berrange@redhat.com \
    --cc=eduardo.otubo@profitbricks.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.