From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [RFC] [PATCH 2/2] Adding basic calls to libseccomp in vl.c
Date: Mon, 7 May 2012 09:28:50 -0300 [thread overview]
Message-ID: <20120507122849.GC10516@bluepex.com> (raw)
In-Reply-To: <4FA7AB6D.5020502@redhat.com>
On Mon, May 07, 2012 at 01:01:01PM +0200, Paolo Bonzini wrote:
> Il 04/05/2012 23:59, Andreas Färber ha scritto:
> >> > +static struct qemu_seccomp_syscall seccomp_whitelist[] = {
> >> > + {SCMP_SYS(timer_settime), 255},
> > Spaces inside braces please.
> >
> >> > + {SCMP_SYS(timer_gettime), 254},
> >> > + {SCMP_SYS(futex), 253},
> >> > + {SCMP_SYS(select), 252},
> >> > + {SCMP_SYS(recvfrom), 251},
> >> > + {SCMP_SYS(sendto), 250},
> >> > + {SCMP_SYS(read), 249},
> >> > + {SCMP_SYS(brk), 248},
> >> > + {SCMP_SYS(clone), 247},
> >> > + {SCMP_SYS(mmap), 247},
> >> > + {SCMP_SYS(mprotect), 246},
> >> > + {SCMP_SYS(rt_sigprocmask), 245},
> >> > + {SCMP_SYS(write), 244},
> >> > + {SCMP_SYS(fcntl), 243},
> >> > + {SCMP_SYS(tgkill), 242},
> >> > + {SCMP_SYS(rt_sigaction), 242},
> >> > + {SCMP_SYS(pipe2), 242},
> >> > + {SCMP_SYS(munmap), 242},
> >> > + {SCMP_SYS(mremap), 242},
> >> > + {SCMP_SYS(getsockname), 242},
> >> > + {SCMP_SYS(getpeername), 242},
> >> > + {SCMP_SYS(fdatasync), 242},
> >> > + {SCMP_SYS(close), 242}
> >> > +};
> >> > +
>
> At least the following are also used: recvmsg, sendmsg, accept, connect,
> bind, listen, ioctl, fallocate, eventfd. I don't know if all of them
> have to be included in the list. Other syscalls are not used but
> probably should be allowed for simplicity, for example poll.
You straced those syscalls from what kind of guest? Can you provide the
frequency they appear on a strace of you example so we can set the
priority? Don't need any fancy report, just some grep's and wc's on a
strace output should be just fine.
>
> For ioctl, we may want to refine the white-list depending on the
> argument, and perhaps even filter by file descriptor (the KVM ioctls are
> in relatively fast paths, so it would be nice if they were passed with
> fewer BPF ops).
>
> BTW, please keep this out of vl.c, so that all hairiness can be added as
> appropriate.
I thought it would be overkill the create a new seccomp.[c|h] just for this
purpose. But yes, we can start thinking about that since the features might
grow in the future.
Thanks for the comments,
Regards
--
Eduardo Otubo
Software Engineer
Linux Technology Center
IBM Systems & Technology Group
Mobile: +55 19 8135 0885
eotubo@linux.vnet.ibm.com
next prev parent reply other threads:[~2012-05-07 12:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-04 19:08 [Qemu-devel] [RFC] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp Eduardo Otubo
2012-05-04 19:08 ` [Qemu-devel] [RFC] [PATCH 1/2] Adding support for libseccomp in configure Eduardo Otubo
2012-05-04 19:08 ` [Qemu-devel] [RFC] [PATCH 2/2] Adding basic calls to libseccomp in vl.c Eduardo Otubo
2012-05-04 21:59 ` Andreas Färber
2012-05-07 11:01 ` Paolo Bonzini
2012-05-07 12:28 ` Eduardo Otubo [this message]
2012-05-07 12:34 ` Paolo Bonzini
2012-05-07 12:16 ` Eduardo Otubo
2012-05-08 9:15 ` [Qemu-devel] [RFC] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp Daniel P. Berrange
2012-05-08 11:32 ` Stefano Stabellini
2012-05-08 14:10 ` Corey Bryant
2012-05-08 14:27 ` Daniel P. Berrange
2012-05-08 15:19 ` Corey Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120507122849.GC10516@bluepex.com \
--to=otubo@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).