All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eduardo Otubo <otubo@redhat.com>
To: qemu-devel@nongnu.org
Cc: berrange@redhat.com, thuth@redhat.com
Subject: [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model
Date: Fri,  1 Sep 2017 12:58:18 +0200	[thread overview]
Message-ID: <20170901105818.31956-7-otubo@redhat.com> (raw)
In-Reply-To: <20170901105818.31956-1-otubo@redhat.com>

Adding new documentation under docs/ to describe every one and each new
option added by the refactoring patchset.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
---
 docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 docs/seccomp.txt

diff --git a/docs/seccomp.txt b/docs/seccomp.txt
new file mode 100644
index 0000000000..a5eca85a9b
--- /dev/null
+++ b/docs/seccomp.txt
@@ -0,0 +1,31 @@
+QEMU Seccomp system call filter
+===============================
+
+Starting from QEMU version 2.11, the seccomp filter does not work as a
+whitelist but as a blacklist instead. This method allows safer deploys since
+only the strictly forbidden system calls will be black-listed and the
+possibility of breaking any workload is close to zero.
+
+The default option (-sandbox on) has a slightly looser security though and the
+reason is that it shouldn't break any backwards compatibility with previous
+deploys and command lines already running. But if the intent is to have a
+better security from this version on, one should make use of the following
+additional options properly:
+
+* obsolete=allow|deny: It allows Qemu to run safely on old system that still
+  relies on old system calls.
+
+* elevateprivileges=allow|deny|children: It allows or denies Qemu process
+  to elevate its privileges by blacklisting all set*uid|gid system calls. The
+  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
+  (forks and execs) to run unprivileged.
+
+* spawn=allow|deny: It blacklists fork and execve system calls, avoiding QEMU to
+  spawn new threads or processes.
+
+* resourcecontrol=allow|deny: It blacklists all process affinity and scheduler
+  priority system calls to avoid that the process can increase its amount of
+  allowed resource consumption.
+
+--
+Eduardo Otubo <otubo@redhat.com>
-- 
2.13.5

  parent reply	other threads:[~2017-09-01 10:59 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-09-01 11:04   ` Daniel P. Berrange
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line Eduardo Otubo
2017-09-01 11:05   ` Daniel P. Berrange
2017-09-07  9:31     ` Eduardo Otubo
2017-09-07  9:59       ` Daniel P. Berrange
2017-09-07  9:57   ` Daniel P. Berrange
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges " Eduardo Otubo
2017-09-07  9:58   ` Daniel P. Berrange
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn " Eduardo Otubo
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol " Eduardo Otubo
2017-09-01 10:58 ` Eduardo Otubo [this message]
2017-09-01 11:03   ` [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model Daniel P. Berrange
2017-09-01 11:32 ` [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring no-reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170901105818.31956-7-otubo@redhat.com \
    --to=otubo@redhat.com \
    --cc=berrange@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.