From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33828)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eduardo.otubo@profitbricks.com>) id 1Zi10f-0006tk-AZ
	for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:08:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eduardo.otubo@profitbricks.com>) id 1Zi10a-0003Fh-Ab
	for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:08:29 -0400
Received: from mail-wi0-f179.google.com ([209.85.212.179]:33103)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eduardo.otubo@profitbricks.com>) id 1Zi10a-0003FB-4m
	for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:08:24 -0400
Received: by wiclk2 with SMTP id lk2so35644966wic.0
	for <qemu-devel@nongnu.org>; Fri, 02 Oct 2015 07:08:23 -0700 (PDT)
Date: Fri, 2 Oct 2015 16:08:20 +0200
From: Eduardo Otubo <eduardo.otubo@profitbricks.com>
Message-ID: <20151002140820.GB25464@vader>
References: <N1-fOl1digGhI@Safe-mail.net>
	<87r3leztbr.fsf@blackfin.pond.sub.org>
	<20151002083047.GA28469@redhat.com>
	<87twq9bn5l.fsf@blackfin.pond.sub.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="PmA2V3Z32TCmWXqI"
Content-Disposition: inline
In-Reply-To: <87twq9bn5l.fsf@blackfin.pond.sub.org>
Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the
 seccomp sandbox
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>
Cc: Namsun Ch'o <namnamc@Safe-mail.net>, qemu-devel@nongnu.org


--PmA2V3Z32TCmWXqI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 02, 2015 at 12=3D05=3D58PM +0200, Markus Armbruster wrote:
> "Daniel P. Berrange" <berrange@redhat.com> writes:
>=20
> > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote:
> >> "Namsun Ch'o" <namnamc@Safe-mail.net> writes:
> >>=20
> >> > The seccomp sandbox doesn't whitelist setuid, setgid, or
> >> > setgroups, which are
> >> > needed for -runas to work. It also doesn't whitelist chroot, which i=
s needed
> >> > for the -chroot option. Unfortunately, QEMU enables seccomp before i=
t drops
> >> > privileges or chroots, so without these whitelisted, -runas and
> >> > -chroot cause
> >> > QEMU to be killed with -sandbox on. This patch adds those syscalls.
> >>=20
> >> Should it enable seccomp a bit later?
> >
> > Yeah, I think it would be better to move the seccomp enablement later.
>=20
> Let's do that then.

Where exactly you guys think we could call seccomp enablement? Right
it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I
guess it is as later as it could.

>=20
> > Adding setuid and chroot to the allow list is pretty strongly undesirab=
le
> > from a security protection POV.
>=20
> Indeed.

--=20
Eduardo Otubo
ProfitBricks GmbH

--PmA2V3Z32TCmWXqI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJWDo/UAAoJEP0M/1sS+L0vlooIALlXs6lQ3JbOntGVOws2I4DR
YnNNHwH8/p1WIopGP9NpjMXCK3EB9X/yjfD3TGGda76tXgy4h1Ca4xYeubXJUDNh
7vzVSlWyVM4Su6hsMDVVA4TWOh2AischedeEJ/nwnj2GiKfXT32HEUt4f4N81fPd
y+HXAzUw5wzk0oNhfMwKBwcbJeQYlIBmeQD+HiFluUwyW1Jl4OlcsY8jh0+DhDfN
FytE7qGHxcfh7NqFXikrZnl8UvOWljeimUN77hccABcetI0oQ2erC+H96y8J/WWm
Od+hoiLwz9soaS8ITlpFRc1kGcQ/gaLjlaWRyO9UNLrM+Veu0hHGjVVqCszaS1I=
=pYA4
-----END PGP SIGNATURE-----

--PmA2V3Z32TCmWXqI--