From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60324) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VGvE8-0006S7-1T for qemu-devel@nongnu.org; Tue, 03 Sep 2013 14:21:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VGvDz-0000Vq-Qb for qemu-devel@nongnu.org; Tue, 03 Sep 2013 14:21:19 -0400 Received: from mx1.redhat.com ([209.132.183.28]:15470) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VGvDz-0000VY-Ig for qemu-devel@nongnu.org; Tue, 03 Sep 2013 14:21:11 -0400 From: Paul Moore Date: Tue, 03 Sep 2013 14:21:02 -0400 Message-ID: <3584106.zoRa73cOQX@sifl> In-Reply-To: <5226259C.30400@linux.vnet.ibm.com> References: <1377738272-3470-1-git-send-email-otubo@linux.vnet.ibm.com> <5226243B.6040001@linux.vnet.ibm.com> <5226259C.30400@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Subject: Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Corey Bryant , Eduardo Otubo Cc: Stefan Hajnoczi , wad@chromium.org, qemu-devel@nongnu.org On Tuesday, September 03, 2013 02:08:28 PM Corey Bryant wrote: > On 09/03/2013 02:02 PM, Corey Bryant wrote: > > On 08/30/2013 10:21 AM, Eduardo Otubo wrote: > >> On 08/29/2013 05:34 AM, Stefan Hajnoczi wrote: > >>> On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote: > >>>> Now there's a second whitelist, right before the vcpu starts. The > >>>> second > >>>> whitelist is the same as the first one, except for exec() and select(). > >>> > >>> -netdev tap,downscript=/path/to/script requires exec() in the QEMU > >>> shutdown code path. Will this work with seccomp? > >> > >> I actually don't know, but I'll test that as well. Can you run a test > >> with this patch and -netdev? I mean, if you're pointing that out you > >> might have a scenario already setup, right? > >> > >> Thanks! > > > > This uses exec() in net/tap.c. > > > > I think if we're going to introduce a sandbox environment that restricts > > existing QEMU behavior, then we have to introduce a new argument to the > > -sandbox option. So for example, "-sandbox on" would continue to use > > the whitelist that allows everything in QEMU to work (or at least it > > should :). And something like "-sandbox on,strict=on" would use the > > whitelist + blacklist. > > > > If this is acceptable though, then I wonder how we could go about adding > > new syscalls to the blacklist in future QEMU releases without regressing > > "-sandbox on,strict=on". > > Maybe a better approach is to provide support that allows libvirt to > define the blacklist and pass it to QEMU? FYI: I didn't want to mention this until I had some patches ready to post, but I'm currently working on adding syscall filtering, via libseccomp, to libvirt. I hope to get an initial RFC-quality patch out "soon". -- paul moore security and virtualization @ redhat