From: Eduardo Otubo <eduardo.otubo@profitbricks.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Daniel P. Berrange" <berrange@redhat.com>,
qemu-devel@nongnu.org, thuth@redhat.com,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line
Date: Tue, 14 Mar 2017 13:32:54 +0100 [thread overview]
Message-ID: <20170314123254.GB21475@vader> (raw)
In-Reply-To: <d8825eda-6613-71c9-9dd7-9239325e296b@redhat.com>
On Tue, Mar 14, 2017 at 01=13=15PM +0100, Paolo Bonzini wrote:
>
>
> On 14/03/2017 12:52, Daniel P. Berrange wrote:
> >>> DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
> >>> - "-sandbox on[,obsolete=allow] Enable seccomp mode 2 system call filter (default 'off').\n" \
> >>> - " obsolete: Allow obsolete system calls",
> >>> + "-sandbox on[,obsolete=allow][,elevateprivileges=deny]\n" \
> >>> + " Enable seccomp mode 2 system call filter (default 'off').\n" \
> >>> + " obsolete: Allow obsolete system calls\n" \
> >>> + " elevateprivileges: avoids Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls",
> >> Why allow these by default?
> > The goal is that '-sandbox on' should not break *any* QEMU feature. It
> > needs to be a safe thing that people can unconditionally turn on without
> > thinking about it.
>
> Sure, but what advantages would it provide if the default blacklist does
> not block anything meaningful? At the very least, spawn=deny should
> default elevateprivileges to deny too.
>
> I think there should be a list (as small as possible) of features that
> are sacrificed by "-sandbox on".
Can you give an example of such a list?
>
> > The QEMU bridge helper requires setuid privs, hence
> > elevated privileges needs to be permitted by default.
>
> QEMU itself should not be getting additional privileges, only the helper
> and in turn the helper or ifup scripts can be limited through MAC. The
> issue is that seccomp persists across execve.
>
> Currently, unprivileged users are only allowed to install seccomp
> filters if no_new_privs is set. Would it make sense if seccomp filters
> without no_new_privs succeeded, except that the filter would not persist
> across execve of binaries with setuid, setgid or file capabilities?
Yes, it does make sense. Using seccomp_attr_set() and the flag
SCMP_FLTATR_CTL_NNP we can disable NO_NEW_PRIVS.
>
> Then the spawn option could be a tri-state with the choice of allow,
> deny and no_new_privs:
>
> - elevateprivileges=allow,spawn=allow: legacy for old kernels
> - elevateprivileges=deny,spawn=allow: can run privileged helpers
> - elevateprivileges=deny,spawn=deny: cannot run helpers at all
> - elevateprivileges=deny,spawn=no_new_privs: can run unprivileged
> helpers only
I think it does look interesting to me this model.
--
Eduardo Otubo
ProfitBricks GmbH
next prev parent reply other threads:[~2017-03-14 12:33 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-14 11:32 [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 2/5] seccomp: add obsolete argument to command line Eduardo Otubo
2017-03-14 11:47 ` Paolo Bonzini
2017-03-14 12:01 ` Thomas Huth
2017-03-14 12:22 ` Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges " Eduardo Otubo
2017-03-14 11:47 ` Paolo Bonzini
2017-03-14 11:52 ` Daniel P. Berrange
2017-03-14 12:13 ` Paolo Bonzini
2017-03-14 12:24 ` Daniel P. Berrange
2017-03-14 12:42 ` Eduardo Otubo
2017-03-14 12:32 ` Eduardo Otubo [this message]
2017-03-14 12:48 ` Paolo Bonzini
2017-03-14 13:02 ` Daniel P. Berrange
2017-03-14 13:05 ` Paolo Bonzini
2017-03-14 13:19 ` Daniel P. Berrange
2017-03-14 11:32 ` [Qemu-devel] [PATCH 4/5] seccomp: add spawn " Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 5/5] seccomp: add resourcecontrol " Eduardo Otubo
2017-03-14 11:40 ` [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170314123254.GB21475@vader \
--to=eduardo.otubo@profitbricks.com \
--cc=berrange@redhat.com \
--cc=luto@amacapital.net \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).