qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Eric Paris <eparis@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: "Stefan Hajnoczi" <stefanha@gmail.com>,
	"Corey Bryant" <coreyb@linux.vnet.ibm.com>,
	"Michael Halcrow" <mhalcrow@google.com>,
	qemu-devel@nongnu.org, "George Wilson" <gcwilson@us.ibm.com>,
	"Paul Moore" <pmoore@redhat.com>,
	"Ashley D Lai" <adlai@us.ibm.com>, "Avi Kivity" <avi@redhat.com>,
	"Richa Marwaha" <rmarwah@us.ibm.com>,
	"Amit Shah" <amit.shah@redhat.com>,
	"Radim Krčmář" <radimkrcmar@hpx.cz>,
	"Eduardo Terrell Ferrari Otubo" <eotubo@br.ibm.com>,
	"Lee Terrell" <lterrell@us.ibm.com>
Subject: Re: [Qemu-devel] [RFC] Device sandboxing
Date: Wed, 07 Dec 2011 15:54:50 -0500	[thread overview]
Message-ID: <1323291290.2486.13.camel@localhost> (raw)
In-Reply-To: <4EDFC1F3.1080900@codemonkey.ws>

On Wed, 2011-12-07 at 13:43 -0600, Anthony Liguori wrote:
> On 12/07/2011 01:32 PM, Corey Bryant wrote:

> > That would seem like the logical approach. I think there may be new mode 2
> > patches coming soon so we can see how they go over.
> 
> I'd like to see what the whitelist would need to be for something like QEMU in 
> mode 2.  My biggest concern is that the whitelist would need to be so large that 
> the practical security what's all that much improved.

When I prototyped my version of seccomp v2 for qemu a while back I did
it by only looking at syscalls after inital setup was completed (aka the
very last thing before main_loop() was to lock it down).  My list was
much sorter than even these:

+        __NR_brk,
+        __NR_close,
+        __NR_exit_group,
+        __NR_futex,
+        __NR_ioctl,
+        __NR_madvise,
+        __NR_mmap,
+        __NR_munmap,
+        __NR_read,
+        __NR_recvfrom,
+        __NR_recvmsg,
+        __NR_rt_sigaction,
+        __NR_select,
+        __NR_sendto,
+        __NR_tgkill,
+        __NR_timer_delete,
+        __NR_timer_gettime,
+        __NR_timer_settime,
+        __NR_write,
+        __NR_writev,

There is simple obvious negligible overhead value here, but every
proposal I know of, including mine, has been shot down by Ingo.  Ingo's
proposal is much more work, more overhead, but clearly more flexible.
His suggestions (and code based on those suggestions from others) has
been shot down by PeterZ.

So I feel like seccomp v2 is between a rock and a hard place.  We have
something that works really well, and could be a huge win for all sorts
of programs, but we don't seem to be able to get anything past the
damned if you do, damned if you don't nak's.....

(There's also a cgroup version of seccomp proposed, but I'm guessing it
will go just about as far as all the other versions)

-Eric

  parent reply	other threads:[~2011-12-07 20:55 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-07 18:25 [Qemu-devel] [RFC] Device sandboxing Corey Bryant
2011-12-07 18:48 ` Anthony Liguori
2011-12-07 19:32   ` Corey Bryant
2011-12-07 19:43     ` Anthony Liguori
2011-12-07 19:52       ` Michael Halcrow
2011-12-07 20:02       ` Corey Bryant
2011-12-07 20:54       ` Eric Paris [this message]
2011-12-08  9:40         ` Stefan Hajnoczi
2011-12-11 10:50           ` Dor Laor
2011-12-12 18:54             ` Will Drewry
2011-12-08  9:47     ` Stefan Hajnoczi
2011-12-08 14:39       ` Corey Bryant
2011-12-07 21:20   ` Paul Moore
2011-12-14 17:15     ` Serge E. Hallyn
2011-12-14 23:56       ` Paul Moore
2011-12-15 14:28         ` Corey Bryant
2011-12-15 15:14           ` Serge Hallyn
2011-12-15 15:35             ` Paul Moore
2011-12-15 16:05               ` Serge Hallyn
2011-12-08 21:51 ` Blue Swirl
2011-12-12 18:30   ` Corey Bryant
2011-12-09 16:17 ` Paul Brook
2011-12-09 16:34   ` Paul Moore
2011-12-09 17:32     ` Paul Brook
2011-12-09 17:49       ` Paul Moore
2011-12-09 18:46         ` Paul Brook
2011-12-09 18:50           ` Paul Moore
2011-12-09 18:59           ` Paul Brook
2011-12-09 19:17             ` Paul Moore
2011-12-10 19:39   ` Blue Swirl
2011-12-11  9:08   ` Avi Kivity

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1323291290.2486.13.camel@localhost \
    --to=eparis@redhat.com \
    --cc=adlai@us.ibm.com \
    --cc=amit.shah@redhat.com \
    --cc=anthony@codemonkey.ws \
    --cc=avi@redhat.com \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=eotubo@br.ibm.com \
    --cc=gcwilson@us.ibm.com \
    --cc=lterrell@us.ibm.com \
    --cc=mhalcrow@google.com \
    --cc=pmoore@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=radimkrcmar@hpx.cz \
    --cc=rmarwah@us.ibm.com \
    --cc=stefanha@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).