From: Eduardo Otubo <eduardo.otubo@profitbricks.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: Namsun Ch'o <namnamc@Safe-mail.net>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox
Date: Fri, 2 Oct 2015 16:08:20 +0200 [thread overview]
Message-ID: <20151002140820.GB25464@vader> (raw)
In-Reply-To: <87twq9bn5l.fsf@blackfin.pond.sub.org>
[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]
On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote:
> "Daniel P. Berrange" <berrange@redhat.com> writes:
>
> > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote:
> >> "Namsun Ch'o" <namnamc@Safe-mail.net> writes:
> >>
> >> > The seccomp sandbox doesn't whitelist setuid, setgid, or
> >> > setgroups, which are
> >> > needed for -runas to work. It also doesn't whitelist chroot, which is needed
> >> > for the -chroot option. Unfortunately, QEMU enables seccomp before it drops
> >> > privileges or chroots, so without these whitelisted, -runas and
> >> > -chroot cause
> >> > QEMU to be killed with -sandbox on. This patch adds those syscalls.
> >>
> >> Should it enable seccomp a bit later?
> >
> > Yeah, I think it would be better to move the seccomp enablement later.
>
> Let's do that then.
Where exactly you guys think we could call seccomp enablement? Right
it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I
guess it is as later as it could.
>
> > Adding setuid and chroot to the allow list is pretty strongly undesirable
> > from a security protection POV.
>
> Indeed.
--
Eduardo Otubo
ProfitBricks GmbH
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2015-10-02 14:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-01 4:36 [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox Namsun Ch'o
2015-10-01 12:06 ` Markus Armbruster
2015-10-02 8:30 ` Daniel P. Berrange
2015-10-02 10:05 ` Markus Armbruster
2015-10-02 14:08 ` Eduardo Otubo [this message]
2015-10-02 14:15 ` Daniel P. Berrange
2015-10-02 15:36 ` Eduardo Otubo
2015-10-08 13:34 ` Eduardo Otubo
-- strict thread matches above, loose matches on Subject: below --
2015-10-02 0:17 namnamc
2015-10-09 2:09 namnamc
2015-10-09 6:54 ` Markus Armbruster
2015-10-09 7:24 ` Eduardo Otubo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151002140820.GB25464@vader \
--to=eduardo.otubo@profitbricks.com \
--cc=armbru@redhat.com \
--cc=namnamc@Safe-mail.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.