From: Paolo Bonzini <pbonzini@redhat.com>
To: Eduardo Otubo <eduardo.otubo@profitbricks.com>, qemu-devel@nongnu.org
Cc: Namsun Ch'o <namnamc@Safe-mail.net>,
peter.maydell@linaro.org, drjones@redhat.com,
dann.frazier@canonical.com
Subject: Re: [Qemu-devel] [PULL 04/05] seccomp: add setuid, setgid, chroot and setgroups to whitelist
Date: Mon, 2 Nov 2015 08:51:26 +0100 [thread overview]
Message-ID: <563715FE.1050206@redhat.com> (raw)
In-Reply-To: <1446212690-7656-5-git-send-email-eduardo.otubo@profitbricks.com>
On 30/10/2015 14:44, Eduardo Otubo wrote:
> From: Namsun Ch'o <namnamc@Safe-mail.net>
>
> The seccomp sandbox doesn't whitelist setuid, setgid, or setgroups, which are
> needed for -runas to work. It also doesn't whitelist chroot, which is needed
> for the -chroot option. Unfortunately, QEMU enables seccomp before it drops
> privileges or chroots, so without these whitelisted, -runas and -chroot cause
> QEMU to be killed with -sandbox on. This patch adds those syscalls.
I think this patch should not be applied, because it completely defeats
the purpose of the sandbox. With these syscalls whitelisted, -runas and
-chroot have absolutely no effect against an attacker, even with
-sandbox on.
Paolo
next prev parent reply other threads:[~2015-11-02 7:51 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-30 13:44 [Qemu-devel] [PULL 00/05] seccomp branch queue Eduardo Otubo
2015-10-30 13:44 ` [Qemu-devel] [PULL 01/05] seccomp: add cacheflush to whitelist Eduardo Otubo
2015-11-02 17:56 ` [Qemu-devel] [PATCH v2] " Andrew Jones
2015-11-02 18:09 ` Peter Maydell
2015-11-02 19:04 ` Andrew Jones
2015-11-02 20:37 ` Peter Maydell
2015-11-02 22:18 ` Andrew Jones
2015-11-02 22:53 ` [Qemu-devel] [PATCH v3] " Andrew Jones
2015-11-09 21:47 ` Andrew Jones
2015-11-11 8:23 ` Eduardo Otubo
2015-10-30 13:44 ` [Qemu-devel] [PULL 02/05] configure: arm/aarch64: allow enable-seccomp Eduardo Otubo
2015-10-30 13:44 ` [Qemu-devel] [PULL 03/05] seccomp: add madvise, shmget, and shmctl to whitelist Eduardo Otubo
2015-10-30 13:44 ` [Qemu-devel] [PULL 04/05] seccomp: add setuid, setgid, chroot and setgroups " Eduardo Otubo
2015-11-02 7:51 ` Paolo Bonzini [this message]
2015-11-11 8:25 ` Eduardo Otubo
2015-10-30 13:44 ` [Qemu-devel] [PULL 05/05] seccomp: loosen library version dependency Eduardo Otubo
2015-10-30 16:30 ` [Qemu-devel] [PULL 00/05] seccomp branch queue Peter Maydell
2015-10-30 18:35 ` Andrew Jones
-- strict thread matches above, loose matches on Subject: below --
2015-11-18 7:10 [Qemu-devel] [PULL 04/05] seccomp: add setuid, setgid, chroot and setgroups to whitelist Namsun Ch'o
2015-11-19 2:35 Namsun Ch'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=563715FE.1050206@redhat.com \
--to=pbonzini@redhat.com \
--cc=dann.frazier@canonical.com \
--cc=drjones@redhat.com \
--cc=eduardo.otubo@profitbricks.com \
--cc=namnamc@Safe-mail.net \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.