Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe seccomp sandbox

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: Namsun Ch'o <namnamc@Safe-mail.net>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe seccomp sandbox
Date: Mon, 5 Oct 2015 09:22:34 +0100	[thread overview]
Message-ID: <20151005082234.GA19336@redhat.com> (raw)
In-Reply-To: <878u7hao1x.fsf@blackfin.pond.sub.org>

On Mon, Oct 05, 2015 at 07:20:58AM +0200, Markus Armbruster wrote:
> "Namsun Ch'o" <namnamc@Safe-mail.net> writes:
> 
> >> If we intend seccomp to protect against flaws during QEMU setup, then having
> >> it earlier is neccessary. eg QEMU opening a corrupt qcow2 image which might
> >> exploit QEMU before the guest CPUs start.
> >
> >> If the latter is the case, then we could start with a relaxed seccomp
> >> sandbox which included the setuid/chroot features, and then switch to a
> >> more restricted one which blocked them before main_loop() runs.
> >
> > That's not possible. Seccomp will not be enforced until seccomp_load(ctx) is
> > called, after which no new changes to the filter can be made.
> 
> That's a pity.
> 
> As long as it's the case, we need to pick: either we protect against
> rogue guests, or against rogue images.  The original idea was the
> former, and it still makes the most sense to me.

Yep, protecting against rogue guests seems much more important.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

next prev parent reply	other threads:[~2015-10-05  8:22 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-04  4:00 [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe seccomp sandbox Namsun Ch'o
2015-10-05  5:20 ` Markus Armbruster
2015-10-05  8:22   ` Daniel P. Berrange [this message]
  -- strict thread matches above, loose matches on Subject: below --
2015-10-04  5:05 Namsun Ch'o
2015-10-05  5:23 ` Markus Armbruster
2015-10-05 22:58 Namsun Ch'o
2015-10-06  5:36 ` Markus Armbruster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151005082234.GA19336@redhat.com \
    --to=berrange@redhat.com \
    --cc=armbru@redhat.com \
    --cc=namnamc@Safe-mail.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.