Re: [Qemu-devel] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp

[Eduardo Otubo <otubo@linux.vnet.ibm.com>]

My apologies, I forgot to add the v3 into the PATCH tag.

On Thu, Jun 21, 2012 at 07:10:36PM -0300, Eduardo Otubo wrote:
> Hello all,
> 
> This is the third effort to sandbox Qemu guests using Libseccomp[0]. The
> patches that follows are pretty simple and straightforward. I added the correct
> options and checks to the configure script and the basic calls to libseccomp in
> the main loop at vl.c. Details of each one are in the emails of the patch set.
> 
> v2: The code now is separated in the files qemu-seccomp.c and qemu-seccomp.h
> for a cleaner implementation.
> 
> This support limits the system call footprint of the entire QEMU process to a
> limited set of syscalls, those that we know QEMU uses.  The idea is to limit
> the allowable syscalls, therefore limiting the impact that an attacked guest
> could have on the host system.
> 
> It's important to note that the libseccomp itself needs the seccomp mode 2
> feature in the kernel, which is pretty close to get to the mainline since it's
> already been accepted to the linux-next branch[1].
> 
> v2: I also tested with the 3.5-rc1 kernel, which is the one with seccomp mode 2
> support. Everything went fine.
> 
> v3: As we discussed in previous emails in this very mailing list, this feature
> is not supposed to replace existing security feature, but add another layer to
> the whole. The whitelist should contain all the syscalls QEMU needs, so its
> execution won't be affected, just safer. And as stated by Will Drewry's commit
> message[1]: "Filter programs will be inherited across fork/clone and execve.",
> the same white list should be passed along from the father process to the
> child, then execve() shouldn't be a problem.
> 
> As always, comments are more than welcome.
> 
> Regards,
> 
> [0] - Now you don't need to git clone anymore, you can download the first
> release - http://sourceforge.net/projects/libseccomp/
> [1] - http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=commit;h=e2cfabdfd075648216f99c2c03821cf3f47c1727
> 
> 
> Eduardo Otubo (2):
>   Adding support for libseccomp in configure and Makefile
>   Creating qemu-seccomp.[ch] and adding call to vl.c
> 
>  Makefile.objs  |    4 +++
>  configure      |   23 +++++++++++++++
>  qemu-seccomp.c |   88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  qemu-seccomp.h |   23 +++++++++++++++
>  vl.c           |   11 +++++++
>  5 files changed, 149 insertions(+)
>  create mode 100644 qemu-seccomp.c
>  create mode 100644 qemu-seccomp.h
> 
> -- 
> 1.7.9.5
> 

-- 
Eduardo Otubo
Software Engineer
Linux Technology Center
IBM Systems & Technology Group
Mobile: +55 19 8135 0885 
eotubo@linux.vnet.ibm.com