From: Eduardo Otubo <eduardo.otubo@profitbricks.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Namsun Ch'o <namnamc@Safe-mail.net>,
Markus Armbruster <armbru@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox
Date: Fri, 2 Oct 2015 17:36:12 +0200 [thread overview]
Message-ID: <20151002153612.GD25464@vader> (raw)
In-Reply-To: <20151002141505.GF28469@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2313 bytes --]
On Fri, Oct 02, 2015 at 03=15=05PM +0100, Daniel P. Berrange wrote:
> On Fri, Oct 02, 2015 at 04:08:20PM +0200, Eduardo Otubo wrote:
> > On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote:
> > > "Daniel P. Berrange" <berrange@redhat.com> writes:
> > >
> > > > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote:
> > > >> "Namsun Ch'o" <namnamc@Safe-mail.net> writes:
> > > >>
> > > >> > The seccomp sandbox doesn't whitelist setuid, setgid, or
> > > >> > setgroups, which are
> > > >> > needed for -runas to work. It also doesn't whitelist chroot, which is needed
> > > >> > for the -chroot option. Unfortunately, QEMU enables seccomp before it drops
> > > >> > privileges or chroots, so without these whitelisted, -runas and
> > > >> > -chroot cause
> > > >> > QEMU to be killed with -sandbox on. This patch adds those syscalls.
> > > >>
> > > >> Should it enable seccomp a bit later?
> > > >
> > > > Yeah, I think it would be better to move the seccomp enablement later.
> > >
> > > Let's do that then.
> >
> > Where exactly you guys think we could call seccomp enablement? Right
> > it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I
> > guess it is as later as it could.
>
> It depends on what you consider seccomp to be protecting against. I think
> its primary goal is to protect against exploit after a guest OS breakout,
> in which case it does not need to be enabled until the guest CPUs start
> executing, which IIUC, means immediately before main_loop().
>
> If we intend seccomp to protect against flaws during QEMU setup, then having
> it earlier is neccessary. eg QEMU opening a corrupt qcow2 image which might
> exploit QEMU before the guest CPUs start.
>
> If the latter is the case, then we could start with a relaxed seccomp
> sandbox which included the setuid/chroot features, and then switch to a
> more restricted one which blocked them before main_loop() runs.
Our intention since the beginning was to protect the host from the
illegal guest operations. But you do have an interesting point about
flaws on qemu itself. Perhaps this might be something I could work on to
improve (start a bigger whitelist and get it tighter before guest
launches).
--
Eduardo Otubo
ProfitBricks GmbH
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2015-10-02 15:36 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-01 4:36 [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox Namsun Ch'o
2015-10-01 12:06 ` Markus Armbruster
2015-10-02 8:30 ` Daniel P. Berrange
2015-10-02 10:05 ` Markus Armbruster
2015-10-02 14:08 ` Eduardo Otubo
2015-10-02 14:15 ` Daniel P. Berrange
2015-10-02 15:36 ` Eduardo Otubo [this message]
2015-10-08 13:34 ` Eduardo Otubo
-- strict thread matches above, loose matches on Subject: below --
2015-10-02 0:17 namnamc
2015-10-09 2:09 namnamc
2015-10-09 6:54 ` Markus Armbruster
2015-10-09 7:24 ` Eduardo Otubo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151002153612.GD25464@vader \
--to=eduardo.otubo@profitbricks.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=namnamc@Safe-mail.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).