From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42431) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZiaTe-0006NI-Hb for qemu-devel@nongnu.org; Sun, 04 Oct 2015 00:00:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZiaTZ-0001J7-G2 for qemu-devel@nongnu.org; Sun, 04 Oct 2015 00:00:46 -0400 Received: from www.safe-mail.net ([212.29.227.230]:37499 helo=tapuz.safe-mail.net) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZiaTZ-0001Fp-9J for qemu-devel@nongnu.org; Sun, 04 Oct 2015 00:00:41 -0400 Date: Sun, 4 Oct 2015 00:00:38 -0400 From: "Namsun Ch'o" Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe seccomp sandbox List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: berrange@redhat.com Cc: armbru@redhat.com, qemu-devel@nongnu.org > If we intend seccomp to protect against flaws during QEMU setup, then having > it earlier is neccessary. eg QEMU opening a corrupt qcow2 image which might > exploit QEMU before the guest CPUs start. > If the latter is the case, then we could start with a relaxed seccomp > sandbox which included the setuid/chroot features, and then switch to a > more restricted one which blocked them before main_loop() runs. That's not possible. Seccomp will not be enforced until seccomp_load(ctx) is called, after which no new changes to the filter can be made.