From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:35496) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TUPJf-0007QQ-TR for qemu-devel@nongnu.org; Fri, 02 Nov 2012 18:02:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TUPJZ-0003eZ-Sg for qemu-devel@nongnu.org; Fri, 02 Nov 2012 18:02:15 -0400 Received: from e28smtp05.in.ibm.com ([122.248.162.5]:41179) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TUPJZ-0003dx-77 for qemu-devel@nongnu.org; Fri, 02 Nov 2012 18:02:09 -0400 Received: from /spool/local by e28smtp05.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 3 Nov 2012 03:32:04 +0530 Received: from d28av04.in.ibm.com (d28av04.in.ibm.com [9.184.220.66]) by d28relay01.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id qA2M20h541943090 for ; Sat, 3 Nov 2012 03:32:00 +0530 Received: from d28av04.in.ibm.com (loopback [127.0.0.1]) by d28av04.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id qA33Vp6e000939 for ; Sat, 3 Nov 2012 14:31:51 +1100 From: Anthony Liguori In-Reply-To: <1451403.LXhkiqE48F@sifl> References: <1350971732-16621-1-git-send-email-otubo@linux.vnet.ibm.com> <1350971732-16621-3-git-send-email-otubo@linux.vnet.ibm.com> <1451403.LXhkiqE48F@sifl> Date: Fri, 02 Nov 2012 17:01:50 -0500 Message-ID: <87pq3v8y0h.fsf@codemonkey.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [Qemu-devel] [PATCHv2 3/4] Support for "double whitelist" filters List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paul Moore , Eduardo Otubo , coreyb@linux.vnet.ibm.com Cc: qemu-devel@nongnu.org Paul Moore writes: > On Tuesday, October 23, 2012 03:55:31 AM Eduardo Otubo wrote: >> This patch includes a second whitelist right before the main loop. It's >> a smaller and more restricted whitelist, excluding execve() among many >> others. >> >> v2: * ctx changed to main_loop_ctx >> * seccomp_on now inside ifdef >> * open syscall added to the main_loop whitelist >> >> Signed-off-by: Eduardo Otubo > > Unfortunately qemu.org seems to be down for me today so I can't grab > the qemu.org is up, just having DNS problems. Use git.qemu-project.org instead and you should be fine. Regards, Anthony Liguori > latest repo to review/verify this patch (some of my comments/assumptions below > may be off) but I'm a little confused, hopefully you guys can help me out, > read below ... > > The first call to seccomp_install_filter() will setup a whitelist for the > syscalls that have been explicitly specified, all others will hit the default > action TRAP/KILL. The second call to seccomp_install_filter() will add a > second whitelist for another set of explicitly specified syscalls, all others > will hit the default action TRAP/KILL. > > The problem occurs when the filters are executed in the kernel when a syscall > is executed. On each syscall the first filter will be executed and the action > will either be ALLOW or TRAP/KILL, next the second filter will be executed and > the action will either be ALLOW or TRAP/KILL; since the kernel always takes > the most restrictive (lowest integer action value) action when multiple > filters are specified, I think your double whitelist value is going to have > some inherent problems. I might suggest an initial, fairly permissive > whitelist followed by a follow-on blacklist if you want to disable certain > syscalls. > > -- > paul moore > security and virtualization @ redhat