Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe seccomp sandbox

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Markus Armbruster <armbru@redhat.com>
To: Namsun Ch'o <namnamc@Safe-mail.net>
Cc: qemu-devel@nongnu.org, eduardo.otubo@profitbricks.com
Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe seccomp sandbox
Date: Tue, 06 Oct 2015 07:36:02 +0200	[thread overview]
Message-ID: <87a8rw36f1.fsf@blackfin.pond.sub.org> (raw)
In-Reply-To: <N1-kI2elh--YL@Safe-mail.net> (Namsun Ch'o's message of "Mon, 5 Oct 2015 18:58:12 -0400")

"Namsun Ch'o" <namnamc@Safe-mail.net> writes:

>> Drawback: complexity.  If we decide to limit ourselves to the original
>> threat model (rogue guest), and enter the sandbox only after setup, we
>> can keep things simpler.
>
> We could do both without much complexity. This looks simple enough to me:
>
>   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chroot), 1,
>         SCMP_A0(SCMP_CMP_EQ, chroot_dir));
>   if (rc < 0)
>         goto seccomp_return;
>
>   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 1,
>         SCMP_A0(SCMP_CMP_EQ, "/"));
>   if (rc < 0)
>         goto seccomp_return;
>
> The only time chroot_dir is ever used is in os-posix.c:139:
>
>   if (chroot(chroot_dir) < 0) {

I'm afraid this materially weakens the sandbox.  chroot_dir is writable.

We don't need to permit chroot(chroot_dir) if we enter the sandbox only
after setup.

next prev parent reply	other threads:[~2015-10-06  5:36 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-05 22:58 [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe seccomp sandbox Namsun Ch'o
2015-10-06  5:36 ` Markus Armbruster [this message]
  -- strict thread matches above, loose matches on Subject: below --
2015-10-04  5:05 Namsun Ch'o
2015-10-05  5:23 ` Markus Armbruster
2015-10-04  4:00 Namsun Ch'o
2015-10-05  5:20 ` Markus Armbruster
2015-10-05  8:22   ` Daniel P. Berrange

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87a8rw36f1.fsf@blackfin.pond.sub.org \
    --to=armbru@redhat.com \
    --cc=eduardo.otubo@profitbricks.com \
    --cc=namnamc@Safe-mail.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.