Re: [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: Eduardo Otubo <otubo@redhat.com>
Cc: qemu-devel@nongnu.org, thuth@redhat.com
Subject: Re: [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model
Date: Fri, 1 Sep 2017 12:03:35 +0100	[thread overview]
Message-ID: <20170901110335.GI31680@redhat.com> (raw)
In-Reply-To: <20170901105818.31956-7-otubo@redhat.com>

On Fri, Sep 01, 2017 at 12:58:18PM +0200, Eduardo Otubo wrote:
> Adding new documentation under docs/ to describe every one and each new
> option added by the refactoring patchset.
> 
> Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> ---
>  docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>  create mode 100644 docs/seccomp.txt
> 
> diff --git a/docs/seccomp.txt b/docs/seccomp.txt
> new file mode 100644
> index 0000000000..a5eca85a9b
> --- /dev/null
> +++ b/docs/seccomp.txt
> @@ -0,0 +1,31 @@
> +QEMU Seccomp system call filter
> +===============================
> +
> +Starting from QEMU version 2.11, the seccomp filter does not work as a
> +whitelist but as a blacklist instead. This method allows safer deploys since
> +only the strictly forbidden system calls will be black-listed and the
> +possibility of breaking any workload is close to zero.
> +
> +The default option (-sandbox on) has a slightly looser security though and the
> +reason is that it shouldn't break any backwards compatibility with previous
> +deploys and command lines already running. But if the intent is to have a
> +better security from this version on, one should make use of the following
> +additional options properly:
> +
> +* obsolete=allow|deny: It allows Qemu to run safely on old system that still
> +  relies on old system calls.
> +
> +* elevateprivileges=allow|deny|children: It allows or denies Qemu process
> +  to elevate its privileges by blacklisting all set*uid|gid system calls. The
> +  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
> +  (forks and execs) to run unprivileged.
> +
> +* spawn=allow|deny: It blacklists fork and execve system calls, avoiding QEMU to
> +  spawn new threads or processes.
> +
> +* resourcecontrol=allow|deny: It blacklists all process affinity and scheduler
> +  priority system calls to avoid that the process can increase its amount of
> +  allowed resource consumption.
> +

This ought to be part of qemu-options.hx so it makes it into the qemu
docs & man page.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

next prev parent reply	other threads:[~2017-09-01 11:03 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-09-01 11:04   ` Daniel P. Berrange
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line Eduardo Otubo
2017-09-01 11:05   ` Daniel P. Berrange
2017-09-07  9:31     ` Eduardo Otubo
2017-09-07  9:59       ` Daniel P. Berrange
2017-09-07  9:57   ` Daniel P. Berrange
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges " Eduardo Otubo
2017-09-07  9:58   ` Daniel P. Berrange
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn " Eduardo Otubo
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol " Eduardo Otubo
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model Eduardo Otubo
2017-09-01 11:03   ` Daniel P. Berrange [this message]
2017-09-01 11:32 ` [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring no-reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170901110335.GI31680@redhat.com \
    --to=berrange@redhat.com \
    --cc=otubo@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.