Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Eduardo Otubo <eduardo.otubo@profitbricks.com>,
	qemu-devel@nongnu.org, thuth@redhat.com
Subject: Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line
Date: Tue, 14 Mar 2017 11:52:53 +0000	[thread overview]
Message-ID: <20170314115253.GL2652@redhat.com> (raw)
In-Reply-To: <e9b2bd2a-8409-7470-76bb-32f15fe6ce0e@redhat.com>

On Tue, Mar 14, 2017 at 12:47:10PM +0100, Paolo Bonzini wrote:
> 
> 
> On 14/03/2017 12:32, Eduardo Otubo wrote:
> > This patch introduces the new argument [,elevateprivileges=deny] to the
> > `-sandbox on'. It avoids Qemu process to elevate its privileges by
> > blacklisting all set*uid|gid system calls
> > 
> > Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> > ---
> >  include/sysemu/seccomp.h |  1 +
> >  qemu-options.hx          |  8 ++++++--
> >  qemu-seccomp.c           | 28 ++++++++++++++++++++++++++++
> >  vl.c                     | 11 +++++++++++
> >  4 files changed, 46 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
> > index 7a7bde246b..e6e78d85ce 100644
> > --- a/include/sysemu/seccomp.h
> > +++ b/include/sysemu/seccomp.h
> > @@ -16,6 +16,7 @@
> >  #define QEMU_SECCOMP_H
> >  
> >  #define OBSOLETE    0x0001
> > +#define PRIVILEGED  0x0010
> >  
> >  #include <seccomp.h>
> >  
> > diff --git a/qemu-options.hx b/qemu-options.hx
> > index 1403d0c85f..47018db5aa 100644
> > --- a/qemu-options.hx
> > +++ b/qemu-options.hx
> > @@ -3732,8 +3732,10 @@ Old param mode (ARM only).
> >  ETEXI
> >  
> >  DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
> > -    "-sandbox on[,obsolete=allow]  Enable seccomp mode 2 system call filter (default 'off').\n" \
> > -    "                              obsolete: Allow obsolete system calls",
> > +    "-sandbox on[,obsolete=allow][,elevateprivileges=deny]\n" \
> > +    "                               Enable seccomp mode 2 system call filter (default 'off').\n" \
> > +    "                               obsolete: Allow obsolete system calls\n" \
> > +    "                               elevateprivileges: avoids Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls",
> 
> Why allow these by default?

The goal is that '-sandbox on' should not break *any* QEMU feature. It
needs to be a safe thing that people can unconditionally turn on without
thinking about it.  The QEMU bridge helper  requires setuid privs, hence
elevated privileges needs to be permitted by default. Similarly I could
see the qemu ifup  scripts, or migrate 'exec' command wanting to elevate
privs via setuid binaries if QEMU was running unprivileged.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

next prev parent reply	other threads:[~2017-03-14 11:53 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-14 11:32 [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 2/5] seccomp: add obsolete argument to command line Eduardo Otubo
2017-03-14 11:47   ` Paolo Bonzini
2017-03-14 12:01   ` Thomas Huth
2017-03-14 12:22     ` Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges " Eduardo Otubo
2017-03-14 11:47   ` Paolo Bonzini
2017-03-14 11:52     ` Daniel P. Berrange [this message]
2017-03-14 12:13       ` Paolo Bonzini
2017-03-14 12:24         ` Daniel P. Berrange
2017-03-14 12:42           ` Eduardo Otubo
2017-03-14 12:32         ` Eduardo Otubo
2017-03-14 12:48           ` Paolo Bonzini
2017-03-14 13:02             ` Daniel P. Berrange
2017-03-14 13:05               ` Paolo Bonzini
2017-03-14 13:19                 ` Daniel P. Berrange
2017-03-14 11:32 ` [Qemu-devel] [PATCH 4/5] seccomp: add spawn " Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 5/5] seccomp: add resourcecontrol " Eduardo Otubo
2017-03-14 11:40 ` [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring no-reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170314115253.GL2652@redhat.com \
    --to=berrange@redhat.com \
    --cc=eduardo.otubo@profitbricks.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).