From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47381) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VFPfs-0005sP-0S for qemu-devel@nongnu.org; Fri, 30 Aug 2013 10:27:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VFPfj-00012w-1c for qemu-devel@nongnu.org; Fri, 30 Aug 2013 10:27:43 -0400 Received: from e24smtp03.br.ibm.com ([32.104.18.24]:53779) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VFPfi-00012h-6i for qemu-devel@nongnu.org; Fri, 30 Aug 2013 10:27:34 -0400 Received: from /spool/local by e24smtp03.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 30 Aug 2013 11:27:32 -0300 Received: from d24relay02.br.ibm.com (d24relay02.br.ibm.com [9.13.184.26]) by d24dlp01.br.ibm.com (Postfix) with ESMTP id 1C2AE3520064 for ; Fri, 30 Aug 2013 10:27:30 -0400 (EDT) Received: from d24av03.br.ibm.com (d24av03.br.ibm.com [9.8.31.95]) by d24relay02.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r7UEPl8C44826858 for ; Fri, 30 Aug 2013 11:25:47 -0300 Received: from d24av03.br.ibm.com (localhost [127.0.0.1]) by d24av03.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id r7UERTMs030718 for ; Fri, 30 Aug 2013 11:27:29 -0300 Message-ID: <5220ABD0.7000802@linux.vnet.ibm.com> Date: Fri, 30 Aug 2013 11:27:28 -0300 From: Eduardo Otubo MIME-Version: 1.0 References: <1377738272-3470-1-git-send-email-otubo@linux.vnet.ibm.com> <2886554.JWDlXEmk61@sifl> In-Reply-To: <2886554.JWDlXEmk61@sifl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paul Moore Cc: coreyb@linux.vnet.ibm.com, wad@chromium.org, qemu-devel@nongnu.org On 08/29/2013 09:56 AM, Paul Moore wrote: > On Wednesday, August 28, 2013 10:04:32 PM Eduardo Otubo wrote: >> Now there's a second whitelist, right before the vcpu starts. The second >> whitelist is the same as the first one, except for exec() and select(). >> >> Signed-off-by: Eduardo Otubo > > We talked about this in a previous thread, but as a reminder, the kernel's > seccomp BPF filter works by executing all of the loaded filters for each > syscall and taking the least permissive action for all of the results. In > other words, if one filter returns ALLOW for a given syscall and another > filter returns KILL, the kernel will select the KILL action for the syscall. > > With that in mind, I think the best option is to keep the existing whitelist > and instead of creating a second whitelist, create a second *blacklist* that > removes the syscalls you don't want to allow anymore, e.g. exec() and > select(). This approach should be easier to maintain and would result in less > overhead in the kernel's seccomp evaluator (the blacklist filter would be much > smaller than a second whitelist filter). You're correct. I was thinking in a whole other approach, but your point makes a lot more sense. As I mentioned on the IRC, I should call seccomp_init(SCMP_ACT_ALLOW) and seccomp_rule_add(ctx, SCMP_ACT_KILL, list[i].num, 0); is that correct? Thanks, -- Eduardo Otubo IBM Linux Technology Center