From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:60104)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1TXzzr-0003WH-OA
	for qemu-devel@nongnu.org; Mon, 12 Nov 2012 14:48:42 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1TXzzo-0002lU-LZ
	for qemu-devel@nongnu.org; Mon, 12 Nov 2012 14:48:39 -0500
Received: from e24smtp02.br.ibm.com ([32.104.18.86]:59682)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1TXzzo-0002ko-5W
	for qemu-devel@nongnu.org; Mon, 12 Nov 2012 14:48:36 -0500
Received: from /spool/local
	by e24smtp02.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <otubo@linux.vnet.ibm.com>;
	Mon, 12 Nov 2012 17:48:31 -0200
Received: from d24relay03.br.ibm.com (d24relay03.br.ibm.com [9.13.184.25])
	by d24dlp02.br.ibm.com (Postfix) with ESMTP id F1A811DC0051
	for <qemu-devel@nongnu.org>; Mon, 12 Nov 2012 14:48:27 -0500 (EST)
Received: from d24av01.br.ibm.com (d24av01.br.ibm.com [9.8.31.91])
	by d24relay03.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	qACJmKf318546722
	for <qemu-devel@nongnu.org>; Mon, 12 Nov 2012 17:48:20 -0200
Received: from d24av01.br.ibm.com (loopback [127.0.0.1])
	by d24av01.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	qACJmQ4u029401
	for <qemu-devel@nongnu.org>; Mon, 12 Nov 2012 17:48:27 -0200
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Date: Mon, 12 Nov 2012 17:48:16 -0200
Message-Id: <1352749698-1219-3-git-send-email-otubo@linux.vnet.ibm.com>
In-Reply-To: <1352749698-1219-1-git-send-email-otubo@linux.vnet.ibm.com>
References: <1352749698-1219-1-git-send-email-otubo@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCHv3 3/5] net: Disallow device hotplug that causes
	execve()
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: pmoore@redhat.com, coreyb@linux.vnet.ibm.com, Eduardo Otubo <otubo@linux.vnet.ibm.com>

We'll soon be introducing a second whitelist that prevents
execve() right before the main_loop() is entered.  In preparation,
we need to gracefully disable use of exec'd scripts/binaries when
hotplugging network devices.  For example, the following will not
be allowed:

netdev_add tap,id=tapdev0
netdev_add bridge
host_net_add tap
host_net_add bridge

v2: * Error messages moved to the backend function, net_init_tap(),
      recommended by Paolo Bonzini
    * Documentation added to QMP and HMP commands, and also to the Qemu
    * options.

v3: * Prevent hotplug of network devices only when execve() would be
      called by checking seccomp_get_state(). (pbonzini@redhat.com)
    * Update enum seccomp_states with new states for 2 whitelists.
    * Remove #ifdef preprocesser tests where possible
      (pbonzini@redhat.com)
    * Update network monitor and -sandbox command line documentation.

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
 hmp-commands.hx |   12 ++++++------
 net/tap.c       |   13 +++++++++++++
 qemu-options.hx |   11 +++++++++--
 qemu-seccomp.h  |    4 +++-
 qmp-commands.hx |    3 ++-
 5 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index f916385..6530a21 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1103,15 +1103,15 @@ ETEXI
     {
         .name       = "host_net_add",
         .args_type  = "device:s,opts:s?",
-        .params     = "tap|user|socket|vde|dump [options]",
-        .help       = "add host VLAN client",
+        .params     = "tap|bridge|user|socket|vde|dump [options]",
+        .help       = "add host VLAN client (options that exec programs are disabled when -sandbox is in use)",
         .mhandler.cmd = net_host_device_add,
     },
 
 STEXI
 @item host_net_add
 @findex host_net_add
-Add host VLAN client.
+Add host VLAN client (options that exec programs are disabled when -sandbox is in use).
 ETEXI
 
     {
@@ -1131,15 +1131,15 @@ ETEXI
     {
         .name       = "netdev_add",
         .args_type  = "netdev:O",
-        .params     = "[user|tap|socket],id=str[,prop=value][,...]",
-        .help       = "add host network device",
+        .params     = "[user|tap|bridge|socket],id=str[,prop=value][,...]",
+        .help       = "add host network device (options that exec programs are disabled when -sandbox is in use)",
         .mhandler.cmd = hmp_netdev_add,
     },
 
 STEXI
 @item netdev_add
 @findex netdev_add
-Add host network device.
+Add host network device (options that exec programs are disabled when -sandbox is in use).
 ETEXI
 
     {
diff --git a/net/tap.c b/net/tap.c
index df89caa..b72a012 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -40,6 +40,7 @@
 #include "qemu-char.h"
 #include "qemu-common.h"
 #include "qemu-error.h"
+#include "qemu-seccomp.h"
 
 #include "net/tap-linux.h"
 
@@ -352,6 +353,12 @@ static int launch_script(const char *setup_script, const char *ifname, int fd)
     char *args[3];
     char **parg;
 
+    if (seccomp_get_state() >= SECCOMP_MAIN_LOOP) {
+        error_report("Cannot execute network script from QEMU monitor "
+                     "when -sandbox is in effect");
+        return -1;
+    }
+
     /* try to launch network script */
     pid = fork();
     if (pid == 0) {
@@ -426,6 +433,12 @@ static int net_bridge_run_helper(const char *helper, const char *bridge)
     char **parg;
     int sv[2];
 
+    if (seccomp_get_state() >= SECCOMP_MAIN_LOOP) {
+        error_report("Cannot execute network helper from QEMU monitor "
+                     "when -sandbox is in effect");
+        return -1;
+    }
+
     sigemptyset(&mask);
     sigaddset(&mask, SIGCHLD);
     sigprocmask(SIG_BLOCK, &mask, &oldmask);
diff --git a/qemu-options.hx b/qemu-options.hx
index fe8f15c..f7277a0 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1584,6 +1584,8 @@ attach it to the bridge. The default network helper executable is
 @file{/usr/local/libexec/qemu-bridge-helper} and the default bridge
 device is @file{br0}.
 
+Note that QEMU cannot execute a setuid program if -sandbox is in effect.
+
 Examples:
 
 @example
@@ -2798,8 +2800,13 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
 STEXI
 @item -sandbox
 @findex -sandbox
-Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will
-disable it.  The default is 'off'.
+Enable Seccomp mode 2 system call filter.  'on' will enable system call filtering
+and 'off' will disable it.  The default is 'on'.
+
+Note that when '-sandbox on' is in effect, execution of programs where privilege
+granting operations occur during exec will be disabled.  For example, QEMU will
+not be able to execute a setuid binary to change its uid or gid.  Additionally,
+network monitor commands that cause programs to be executed will be disabled.
 ETEXI
 
 DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig,
diff --git a/qemu-seccomp.h b/qemu-seccomp.h
index fa26d70..686db09 100644
--- a/qemu-seccomp.h
+++ b/qemu-seccomp.h
@@ -21,7 +21,9 @@
 
 enum seccomp_states {
     SECCOMP_OFF,
-    SECCOMP_ON
+    SECCOMP_ON,
+    SECCOMP_INIT,
+    SECCOMP_MAIN_LOOP
 };
 
 void seccomp_set_state(int);
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 5c692d0..26252a4 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -757,7 +757,8 @@ Example:
 
 Note: The supported device options are the same ones supported by the '-net'
       command-line argument, which are listed in the '-help' output or QEMU's
-      manual
+      manual.  Note that options that exec programs are disabled when -sandbox
+      is in use.
 
 EQMP
 
-- 
1.7.10.4