From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56681) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZkBLv-0004IM-Sq for qemu-devel@nongnu.org; Thu, 08 Oct 2015 09:36:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZkBKq-0006NP-9a for qemu-devel@nongnu.org; Thu, 08 Oct 2015 09:35:22 -0400 Received: from mail-wi0-f171.google.com ([209.85.212.171]:34174) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZkBKq-0006M0-3D for qemu-devel@nongnu.org; Thu, 08 Oct 2015 09:34:16 -0400 Received: by wicfx3 with SMTP id fx3so28614958wic.1 for ; Thu, 08 Oct 2015 06:34:15 -0700 (PDT) Date: Thu, 8 Oct 2015 15:34:12 +0200 From: Eduardo Otubo Message-ID: <20151008133412.GD31558@vader> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="P+33d92oIH25kiaB" Content-Disposition: inline In-Reply-To: Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Namsun Ch'o Cc: qemu-devel@nongnu.org --P+33d92oIH25kiaB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 01, 2015 at 12=3D36=3D05AM -0400, Namsun Ch'o wrote: > The seccomp sandbox doesn't whitelist setuid, setgid, or setgroups, which= are > needed for -runas to work. It also doesn't whitelist chroot, which is nee= ded > for the -chroot option. Unfortunately, QEMU enables seccomp before it dro= ps > privileges or chroots, so without these whitelisted, -runas and -chroot c= ause > QEMU to be killed with -sandbox on. This patch adds those syscalls. >=20 > Signed-off-by: Namsun Ch'o > --- > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index f9de0d3..5cb1809 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -237,7 +237,11 @@ static const struct QemuSeccompSyscall seccomp_white= list[] =3D { > { SCMP_SYS(fadvise64), 240 }, > { SCMP_SYS(inotify_init1), 240 }, > { SCMP_SYS(inotify_add_watch), 240 }, > - { SCMP_SYS(mbind), 240 } > + { SCMP_SYS(mbind), 240 }, > + { SCMP_SYS(setuid), 240 }, > + { SCMP_SYS(setgid), 240 }, > + { SCMP_SYS(chroot), 240 }, > + { SCMP_SYS(setgroups), 240 } > }; >=20 > int seccomp_start(void) Breaking a qemu use case is justification enough to whitelist more syscalls, but we can come up with a better solution for this (continue the thread) and tighten up this in the future. Thanks for your contribution. Acked-by: Eduardo Otubo ps.: the threads are still being broken by your emails and it's a pain to track down all of them in order to read. Please fix it. --=20 Eduardo Otubo ProfitBricks GmbH --P+33d92oIH25kiaB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWFnDUAAoJEP0M/1sS+L0vvbgH/0lDQ01XD0gdskw68HBYAfwa BFloeoN1EwruPi1ptQURVN3bP2GetIIWuI5+k05fIWzfSn+XA+zCuM1PXQx6aWCd UiAl3rg59DgHxq24ZVPCWv/kK1Y3tLF8MJhwm+RQ8vWbbkKUXyHC7GIjrl2ym7oX +JlVSC6+tYFxhcHsbeXEOUwreGGBxLOwf5eWA/d7ufeSKp6FoCwFihKWZBo9YCs3 I8CcDNDH+QCBDOrR/irk70P4pi1dTzPCsbE65zO/TdN2YCENhnneH/Q1xdHLp9J2 viHtfwrySuQqq8Kcyo9bGsMAaT3tT1ZYL1o2edKL9ZeAcPyq+yJ/hx1CwS73U2A= =ERNW -----END PGP SIGNATURE----- --P+33d92oIH25kiaB--