From: Paul Moore <pmoore@redhat.com>
To: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Cc: lmr@redhat.com, qemu-devel@nongnu.org, anthony@codemonkey.ws
Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in
Date: Mon, 09 Dec 2013 13:16:28 -0500 [thread overview]
Message-ID: <3282317.3ykRPnnAV1@sifl> (raw)
In-Reply-To: <52A60328.6020102@linux.vnet.ibm.com>
On Monday, December 09, 2013 03:51:36 PM Eduardo Otubo wrote:
> On 12/09/2013 03:33 PM, Daniel P. Berrange wrote:
> > On Mon, Dec 09, 2013 at 03:20:52PM -0200, Eduardo Otubo wrote:
> >> This option was requested by virt-test team so they can run tests with
> >> Qemu and "-sandbox on" set without breaking whole test if host doesn't
> >>
> >> have support for seccomp in kernel. It covers two possibilities:
> >> 1) Host kernel support does not support seccomp, but user installed
> >> Qemu
> >>
> >> package with sandbox support: Libseccomp will fail -> qemu will fail
> >> nicely and won't stop execution.
> >>
> >> 2) Host kernel has support but Qemu package wasn't built with sandbox
> >>
> >> feature. Qemu will fail nicely and won't stop execution.
> >>
> >> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
> >> ---
> >>
> >> vl.c | 10 +++-------
> >> 1 file changed, 3 insertions(+), 7 deletions(-)
{snip}
> > This change is really dubious from a security POV. If the admin requested
> > sandboxing and the host or QEMU build cannot support it, then QEMU really
> > *must* exit.
>
> I think an admin must know what he's doing. If he requested sandbox but
> without kernel support he need to step back a little and understand what
> he's doing. This patch won't decrease the security level, IMHO.
NACK
For the reasons Daniel already mentioned. Mistakes happen, a lot, and if the
user explicitly requests security functionality and we can't provide it we
need to fail in a manner that doesn't increase the user's risk.
> > IMHO the test suite should probe to see if sandbox is working or not, and
> > just not use the "-sandbox on" arg if the host doesn't support it.
>
> But I think this could be done on virt-test as well :)
This would be ideal, but if you must have a fallback mechanism in QEMU proper,
make it separate from '-sandbox on' so that it doesn't break with the current
behavior and also makes it is obvious that the functionality is not
guaranteed, e.g. '-sandbox try' or similar.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2013-12-09 18:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-09 17:20 [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in Eduardo Otubo
2013-12-09 17:33 ` Daniel P. Berrange
2013-12-09 17:51 ` Eduardo Otubo
2013-12-09 18:16 ` Paul Moore [this message]
2013-12-10 3:20 ` Corey Bryant
2013-12-10 18:48 ` Lucas Meneghel Rodrigues
2013-12-10 19:31 ` Paul Moore
2013-12-10 20:13 ` Lucas Meneghel Rodrigues
2013-12-10 19:35 ` Eduardo Otubo
2013-12-09 19:11 ` Lucas Meneghel Rodrigues
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3282317.3ykRPnnAV1@sifl \
--to=pmoore@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=lmr@redhat.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.