From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:35895)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Si2oB-0006sQ-KB
	for qemu-devel@nongnu.org; Fri, 22 Jun 2012 08:17:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Si2o1-00005Y-Jj
	for qemu-devel@nongnu.org; Fri, 22 Jun 2012 08:17:51 -0400
Received: from e24smtp04.br.ibm.com ([32.104.18.25]:56329)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Si2o1-000057-8E
	for qemu-devel@nongnu.org; Fri, 22 Jun 2012 08:17:41 -0400
Received: from /spool/local
	by e24smtp04.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <otubo@linux.vnet.ibm.com>;
	Fri, 22 Jun 2012 09:17:33 -0300
Received: from d24relay02.br.ibm.com (d24relay02.br.ibm.com [9.13.184.26])
	by d24dlp02.br.ibm.com (Postfix) with ESMTP id D94081DC004E
	for <qemu-devel@nongnu.org>; Fri, 22 Jun 2012 08:17:31 -0400 (EDT)
Received: from d24av01.br.ibm.com (d24av01.br.ibm.com [9.8.31.91])
	by d24relay02.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q5MCGrQ739256246
	for <qemu-devel@nongnu.org>; Fri, 22 Jun 2012 09:16:53 -0300
Received: from d24av01.br.ibm.com (loopback [127.0.0.1])
	by d24av01.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q5MAHPGj024057
	for <qemu-devel@nongnu.org>; Fri, 22 Jun 2012 07:17:25 -0300
Received: from bluepex.com ([9.12.229.51])
	by d24av01.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with SMTP id
	q5MAHNgx024041
	for <qemu-devel@nongnu.org>; Fri, 22 Jun 2012 07:17:24 -0300
Date: Fri, 22 Jun 2012 09:17:27 -0300
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Message-ID: <20120622121727.GA21178@bluepex.com>
References: <cover.1340315275.git.otubo@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <cover.1340315275.git.otubo@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

My apologies, I forgot to add the v3 into the PATCH tag.

On Thu, Jun 21, 2012 at 07:10:36PM -0300, Eduardo Otubo wrote:
> Hello all,
> 
> This is the third effort to sandbox Qemu guests using Libseccomp[0]. The
> patches that follows are pretty simple and straightforward. I added the correct
> options and checks to the configure script and the basic calls to libseccomp in
> the main loop at vl.c. Details of each one are in the emails of the patch set.
> 
> v2: The code now is separated in the files qemu-seccomp.c and qemu-seccomp.h
> for a cleaner implementation.
> 
> This support limits the system call footprint of the entire QEMU process to a
> limited set of syscalls, those that we know QEMU uses.  The idea is to limit
> the allowable syscalls, therefore limiting the impact that an attacked guest
> could have on the host system.
> 
> It's important to note that the libseccomp itself needs the seccomp mode 2
> feature in the kernel, which is pretty close to get to the mainline since it's
> already been accepted to the linux-next branch[1].
> 
> v2: I also tested with the 3.5-rc1 kernel, which is the one with seccomp mode 2
> support. Everything went fine.
> 
> v3: As we discussed in previous emails in this very mailing list, this feature
> is not supposed to replace existing security feature, but add another layer to
> the whole. The whitelist should contain all the syscalls QEMU needs, so its
> execution won't be affected, just safer. And as stated by Will Drewry's commit
> message[1]: "Filter programs will be inherited across fork/clone and execve.",
> the same white list should be passed along from the father process to the
> child, then execve() shouldn't be a problem.
> 
> As always, comments are more than welcome.
> 
> Regards,
> 
> [0] - Now you don't need to git clone anymore, you can download the first
> release - http://sourceforge.net/projects/libseccomp/
> [1] - http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=commit;h=e2cfabdfd075648216f99c2c03821cf3f47c1727
> 
> 
> Eduardo Otubo (2):
>   Adding support for libseccomp in configure and Makefile
>   Creating qemu-seccomp.[ch] and adding call to vl.c
> 
>  Makefile.objs  |    4 +++
>  configure      |   23 +++++++++++++++
>  qemu-seccomp.c |   88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  qemu-seccomp.h |   23 +++++++++++++++
>  vl.c           |   11 +++++++
>  5 files changed, 149 insertions(+)
>  create mode 100644 qemu-seccomp.c
>  create mode 100644 qemu-seccomp.h
> 
> -- 
> 1.7.9.5
> 

-- 
Eduardo Otubo
Software Engineer
Linux Technology Center
IBM Systems & Technology Group
Mobile: +55 19 8135 0885 
eotubo@linux.vnet.ibm.com