From: "Daniel P. Berrange" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-devel@nongnu.org, thuth@redhat.com,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line
Date: Tue, 14 Mar 2017 13:19:24 +0000 [thread overview]
Message-ID: <20170314131924.GQ2652@redhat.com> (raw)
In-Reply-To: <ca220108-b75c-c3a1-8288-317095bb3dab@redhat.com>
On Tue, Mar 14, 2017 at 02:05:32PM +0100, Paolo Bonzini wrote:
>
>
> On 14/03/2017 14:02, Daniel P. Berrange wrote:
> >>> Can you give an example of such a list?
> >>
> >> Well, anything that makes "-sandbox on" more than security theater... I
> >> would consider it a necessary evil, not a good thing to have such a list.
> >>
> >> Due to NO_NEW_PRIVS, I think non-migration fork/exec should be on the
> >> list, but hopefully nothing else.
> >
> > The current semantics of '-sandbox on' are that it is documented to not
> > break any valid QEMU features. By blocking fork/exec, we make a semantic
> > change to the existing behaviour of '-sandbox on'.
>
> I don't propose to block fork/exec. I propose not to whitelist setuid,
> as is the case now too. It wouldn't be backwards-incompatible.
That we don't whitelist setuid is a bug in the current impl vs the intended
semantics of '-sandbox on', where we are denying valid features.
> > So any application
> > which has been using '-sandbox on' historically, is at risk of being
> > broken when upgrading to QEMU 2.10. It would force the application to
> > generate a different CLI for new QEMU - ie to avoid being broken they
> > would have to now add elevateprivs=allow, spawn=allow. I think we have
> > to maintain semantic compat with existing usage, which means that
> > '-sandbox on' has to remain security theatre.
> >
> > So if we want a default config to be more restrictive, then I think you
> > realistically have to turn the default parameter into a tri-state
> > instead of bool, ie allow '-sandbox default' as an alternative to
> > '-sandbox on' that was slightly stronger by blocking fork/exec.
>
> Or just print a warning that "-sandbox on" is useless. I guess that
> would be okay too if we want to be "stronger" than backwards-compatible.
It isn't totally useless - it is blocking access to a number of system
calls that QEMU should never use. eg things like reboot, load_module,
etc. In the absence of other security protections it is useless, but
if you combine with other mechanisms like DAC or LSM, then the default
seccomp rules offer some extra protection. Admittedly not alot, but
it is non-zero. The extra opt-in protecton flags then increase the
value at cost of killing some features.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
next prev parent reply other threads:[~2017-03-14 13:19 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-14 11:32 [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 2/5] seccomp: add obsolete argument to command line Eduardo Otubo
2017-03-14 11:47 ` Paolo Bonzini
2017-03-14 12:01 ` Thomas Huth
2017-03-14 12:22 ` Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges " Eduardo Otubo
2017-03-14 11:47 ` Paolo Bonzini
2017-03-14 11:52 ` Daniel P. Berrange
2017-03-14 12:13 ` Paolo Bonzini
2017-03-14 12:24 ` Daniel P. Berrange
2017-03-14 12:42 ` Eduardo Otubo
2017-03-14 12:32 ` Eduardo Otubo
2017-03-14 12:48 ` Paolo Bonzini
2017-03-14 13:02 ` Daniel P. Berrange
2017-03-14 13:05 ` Paolo Bonzini
2017-03-14 13:19 ` Daniel P. Berrange [this message]
2017-03-14 11:32 ` [Qemu-devel] [PATCH 4/5] seccomp: add spawn " Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 5/5] seccomp: add resourcecontrol " Eduardo Otubo
2017-03-14 11:40 ` [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170314131924.GQ2652@redhat.com \
--to=berrange@redhat.com \
--cc=luto@amacapital.net \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).