* [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring
@ 2017-09-01 10:58 Eduardo Otubo
2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo
` (6 more replies)
0 siblings, 7 replies; 15+ messages in thread
From: Eduardo Otubo @ 2017-09-01 10:58 UTC (permalink / raw)
To: qemu-devel; +Cc: berrange, thuth
v4:
* include another field on the struct for the modes
* remove priority
* fixed typos
* error handling for prctl
* add allow|deny values for all options
* error hanlding for wrong values for all options
* change how binary values are treated
* reformat help text
v3:
* Style problems fixed
v2:
* The semantics of the options "allow/deny" instead of booleans "on/off" remains.
* Added option 'children' to elevateprivileges
* Added documentation to docs/
v1:
* First version based on the discussion
https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03348.html
Eduardo Otubo (6):
seccomp: changing from whitelist to blacklist
seccomp: add obsolete argument to command line
seccomp: add elevateprivileges argument to command line
seccomp: add spawn argument to command line
seccomp: add resourcecontrol argument to command line
seccomp: adding documentation to new seccomp model
docs/seccomp.txt | 31 +++++
include/sysemu/seccomp.h | 8 +-
qemu-options.hx | 26 +++-
qemu-seccomp.c | 325 ++++++++++++++---------------------------------
vl.c | 82 +++++++++++-
5 files changed, 235 insertions(+), 237 deletions(-)
create mode 100644 docs/seccomp.txt
--
2.13.5
^ permalink raw reply [flat|nested] 15+ messages in thread* [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo @ 2017-09-01 10:58 ` Eduardo Otubo 2017-09-01 11:04 ` Daniel P. Berrange 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line Eduardo Otubo ` (5 subsequent siblings) 6 siblings, 1 reply; 15+ messages in thread From: Eduardo Otubo @ 2017-09-01 10:58 UTC (permalink / raw) To: qemu-devel; +Cc: berrange, thuth This patch changes the default behavior of the seccomp filter from whitelist to blacklist. By default now all system calls are allowed and a small black list of definitely forbidden ones was created. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 2 + qemu-seccomp.c | 264 ++++++----------------------------------------- vl.c | 1 - 3 files changed, 35 insertions(+), 232 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index cfc06008cb..23b9c3c789 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -15,6 +15,8 @@ #ifndef QEMU_SECCOMP_H #define QEMU_SECCOMP_H +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0) + #include <seccomp.h> int seccomp_start(void); diff --git a/qemu-seccomp.c b/qemu-seccomp.c index df75d9c471..585de42a97 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -28,232 +28,34 @@ struct QemuSeccompSyscall { int32_t num; - uint8_t priority; + int type; + uint8_t set; }; -static const struct QemuSeccompSyscall seccomp_whitelist[] = { - { SCMP_SYS(timer_settime), 255 }, - { SCMP_SYS(timer_gettime), 254 }, - { SCMP_SYS(futex), 253 }, - { SCMP_SYS(select), 252 }, - { SCMP_SYS(recvfrom), 251 }, - { SCMP_SYS(sendto), 250 }, - { SCMP_SYS(socketcall), 250 }, - { SCMP_SYS(read), 249 }, - { SCMP_SYS(io_submit), 249 }, - { SCMP_SYS(brk), 248 }, - { SCMP_SYS(clone), 247 }, - { SCMP_SYS(mmap), 247 }, - { SCMP_SYS(mprotect), 246 }, - { SCMP_SYS(execve), 245 }, - { SCMP_SYS(open), 245 }, - { SCMP_SYS(ioctl), 245 }, - { SCMP_SYS(socket), 245 }, - { SCMP_SYS(setsockopt), 245 }, - { SCMP_SYS(recvmsg), 245 }, - { SCMP_SYS(sendmsg), 245 }, - { SCMP_SYS(accept), 245 }, - { SCMP_SYS(connect), 245 }, - { SCMP_SYS(socketpair), 245 }, - { SCMP_SYS(bind), 245 }, - { SCMP_SYS(listen), 245 }, - { SCMP_SYS(semget), 245 }, - { SCMP_SYS(ipc), 245 }, - { SCMP_SYS(gettimeofday), 245 }, - { SCMP_SYS(readlink), 245 }, - { SCMP_SYS(access), 245 }, - { SCMP_SYS(prctl), 245 }, - { SCMP_SYS(signalfd), 245 }, - { SCMP_SYS(getrlimit), 245 }, - { SCMP_SYS(getrusage), 245 }, - { SCMP_SYS(set_tid_address), 245 }, - { SCMP_SYS(statfs), 245 }, - { SCMP_SYS(unlink), 245 }, - { SCMP_SYS(wait4), 245 }, - { SCMP_SYS(fcntl64), 245 }, - { SCMP_SYS(fstat64), 245 }, - { SCMP_SYS(stat64), 245 }, - { SCMP_SYS(getgid32), 245 }, - { SCMP_SYS(getegid32), 245 }, - { SCMP_SYS(getuid32), 245 }, - { SCMP_SYS(geteuid32), 245 }, - { SCMP_SYS(sigreturn), 245 }, - { SCMP_SYS(_newselect), 245 }, - { SCMP_SYS(_llseek), 245 }, - { SCMP_SYS(mmap2), 245 }, - { SCMP_SYS(sigprocmask), 245 }, - { SCMP_SYS(sched_getparam), 245 }, - { SCMP_SYS(sched_getscheduler), 245 }, - { SCMP_SYS(fstat), 245 }, - { SCMP_SYS(clock_getres), 245 }, - { SCMP_SYS(sched_get_priority_min), 245 }, - { SCMP_SYS(sched_get_priority_max), 245 }, - { SCMP_SYS(stat), 245 }, - { SCMP_SYS(uname), 245 }, - { SCMP_SYS(eventfd2), 245 }, - { SCMP_SYS(io_getevents), 245 }, - { SCMP_SYS(dup), 245 }, - { SCMP_SYS(dup2), 245 }, - { SCMP_SYS(dup3), 245 }, - { SCMP_SYS(gettid), 245 }, - { SCMP_SYS(getgid), 245 }, - { SCMP_SYS(getegid), 245 }, - { SCMP_SYS(getuid), 245 }, - { SCMP_SYS(geteuid), 245 }, - { SCMP_SYS(timer_create), 245 }, - { SCMP_SYS(times), 245 }, - { SCMP_SYS(exit), 245 }, - { SCMP_SYS(clock_gettime), 245 }, - { SCMP_SYS(time), 245 }, - { SCMP_SYS(restart_syscall), 245 }, - { SCMP_SYS(pwrite64), 245 }, - { SCMP_SYS(nanosleep), 245 }, - { SCMP_SYS(chown), 245 }, - { SCMP_SYS(openat), 245 }, - { SCMP_SYS(getdents), 245 }, - { SCMP_SYS(timer_delete), 245 }, - { SCMP_SYS(exit_group), 245 }, - { SCMP_SYS(rt_sigreturn), 245 }, - { SCMP_SYS(sync), 245 }, - { SCMP_SYS(pread64), 245 }, - { SCMP_SYS(madvise), 245 }, - { SCMP_SYS(set_robust_list), 245 }, - { SCMP_SYS(lseek), 245 }, - { SCMP_SYS(pselect6), 245 }, - { SCMP_SYS(fork), 245 }, - { SCMP_SYS(rt_sigprocmask), 245 }, - { SCMP_SYS(write), 244 }, - { SCMP_SYS(fcntl), 243 }, - { SCMP_SYS(tgkill), 242 }, - { SCMP_SYS(kill), 242 }, - { SCMP_SYS(rt_sigaction), 242 }, - { SCMP_SYS(pipe2), 242 }, - { SCMP_SYS(munmap), 242 }, - { SCMP_SYS(mremap), 242 }, - { SCMP_SYS(fdatasync), 242 }, - { SCMP_SYS(close), 242 }, - { SCMP_SYS(rt_sigpending), 242 }, - { SCMP_SYS(rt_sigtimedwait), 242 }, - { SCMP_SYS(readv), 242 }, - { SCMP_SYS(writev), 242 }, - { SCMP_SYS(preadv), 242 }, - { SCMP_SYS(pwritev), 242 }, - { SCMP_SYS(setrlimit), 242 }, - { SCMP_SYS(ftruncate), 242 }, - { SCMP_SYS(lstat), 242 }, - { SCMP_SYS(pipe), 242 }, - { SCMP_SYS(umask), 242 }, - { SCMP_SYS(chdir), 242 }, - { SCMP_SYS(setitimer), 242 }, - { SCMP_SYS(setsid), 242 }, - { SCMP_SYS(poll), 242 }, - { SCMP_SYS(epoll_create), 242 }, - { SCMP_SYS(epoll_ctl), 242 }, - { SCMP_SYS(epoll_wait), 242 }, - { SCMP_SYS(waitpid), 242 }, - { SCMP_SYS(getsockname), 242 }, - { SCMP_SYS(getpeername), 242 }, - { SCMP_SYS(accept4), 242 }, - { SCMP_SYS(timerfd_settime), 242 }, - { SCMP_SYS(newfstatat), 241 }, - { SCMP_SYS(shutdown), 241 }, - { SCMP_SYS(getsockopt), 241 }, - { SCMP_SYS(semop), 241 }, - { SCMP_SYS(semtimedop), 241 }, - { SCMP_SYS(epoll_ctl_old), 241 }, - { SCMP_SYS(epoll_wait_old), 241 }, - { SCMP_SYS(epoll_pwait), 241 }, - { SCMP_SYS(epoll_create1), 241 }, - { SCMP_SYS(ppoll), 241 }, - { SCMP_SYS(creat), 241 }, - { SCMP_SYS(link), 241 }, - { SCMP_SYS(getpid), 241 }, - { SCMP_SYS(getppid), 241 }, - { SCMP_SYS(getpgrp), 241 }, - { SCMP_SYS(getpgid), 241 }, - { SCMP_SYS(getsid), 241 }, - { SCMP_SYS(getdents64), 241 }, - { SCMP_SYS(getresuid), 241 }, - { SCMP_SYS(getresgid), 241 }, - { SCMP_SYS(getgroups), 241 }, - { SCMP_SYS(getresuid32), 241 }, - { SCMP_SYS(getresgid32), 241 }, - { SCMP_SYS(getgroups32), 241 }, - { SCMP_SYS(signal), 241 }, - { SCMP_SYS(sigaction), 241 }, - { SCMP_SYS(sigsuspend), 241 }, - { SCMP_SYS(sigpending), 241 }, - { SCMP_SYS(truncate64), 241 }, - { SCMP_SYS(ftruncate64), 241 }, - { SCMP_SYS(fchown32), 241 }, - { SCMP_SYS(chown32), 241 }, - { SCMP_SYS(lchown32), 241 }, - { SCMP_SYS(statfs64), 241 }, - { SCMP_SYS(fstatfs64), 241 }, - { SCMP_SYS(fstatat64), 241 }, - { SCMP_SYS(lstat64), 241 }, - { SCMP_SYS(sendfile64), 241 }, - { SCMP_SYS(ugetrlimit), 241 }, - { SCMP_SYS(alarm), 241 }, - { SCMP_SYS(rt_sigsuspend), 241 }, - { SCMP_SYS(rt_sigqueueinfo), 241 }, - { SCMP_SYS(rt_tgsigqueueinfo), 241 }, - { SCMP_SYS(sigaltstack), 241 }, - { SCMP_SYS(signalfd4), 241 }, - { SCMP_SYS(truncate), 241 }, - { SCMP_SYS(fchown), 241 }, - { SCMP_SYS(lchown), 241 }, - { SCMP_SYS(fchownat), 241 }, - { SCMP_SYS(fstatfs), 241 }, - { SCMP_SYS(getitimer), 241 }, - { SCMP_SYS(syncfs), 241 }, - { SCMP_SYS(fsync), 241 }, - { SCMP_SYS(fchdir), 241 }, - { SCMP_SYS(msync), 241 }, - { SCMP_SYS(sched_setparam), 241 }, - { SCMP_SYS(sched_setscheduler), 241 }, - { SCMP_SYS(sched_yield), 241 }, - { SCMP_SYS(sched_rr_get_interval), 241 }, - { SCMP_SYS(sched_setaffinity), 241 }, - { SCMP_SYS(sched_getaffinity), 241 }, - { SCMP_SYS(readahead), 241 }, - { SCMP_SYS(timer_getoverrun), 241 }, - { SCMP_SYS(unlinkat), 241 }, - { SCMP_SYS(readlinkat), 241 }, - { SCMP_SYS(faccessat), 241 }, - { SCMP_SYS(get_robust_list), 241 }, - { SCMP_SYS(splice), 241 }, - { SCMP_SYS(vmsplice), 241 }, - { SCMP_SYS(getcpu), 241 }, - { SCMP_SYS(sendmmsg), 241 }, - { SCMP_SYS(recvmmsg), 241 }, - { SCMP_SYS(prlimit64), 241 }, - { SCMP_SYS(waitid), 241 }, - { SCMP_SYS(io_cancel), 241 }, - { SCMP_SYS(io_setup), 241 }, - { SCMP_SYS(io_destroy), 241 }, - { SCMP_SYS(arch_prctl), 240 }, - { SCMP_SYS(mkdir), 240 }, - { SCMP_SYS(fchmod), 240 }, - { SCMP_SYS(shmget), 240 }, - { SCMP_SYS(shmat), 240 }, - { SCMP_SYS(shmdt), 240 }, - { SCMP_SYS(timerfd_create), 240 }, - { SCMP_SYS(shmctl), 240 }, - { SCMP_SYS(mlockall), 240 }, - { SCMP_SYS(mlock), 240 }, - { SCMP_SYS(munlock), 240 }, - { SCMP_SYS(semctl), 240 }, - { SCMP_SYS(fallocate), 240 }, - { SCMP_SYS(fadvise64), 240 }, - { SCMP_SYS(inotify_init1), 240 }, - { SCMP_SYS(inotify_add_watch), 240 }, - { SCMP_SYS(mbind), 240 }, - { SCMP_SYS(memfd_create), 240 }, -#ifdef HAVE_CACHEFLUSH - { SCMP_SYS(cacheflush), 240 }, -#endif - { SCMP_SYS(sysinfo), 240 }, +static const struct QemuSeccompSyscall blacklist[] = { + /* default set of syscalls to blacklist */ + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, }; int seccomp_start(void) @@ -262,19 +64,19 @@ int seccomp_start(void) unsigned int i = 0; scmp_filter_ctx ctx; - ctx = seccomp_init(SCMP_ACT_KILL); + ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) { rc = -1; goto seccomp_return; } - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); - if (rc < 0) { - goto seccomp_return; + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { + switch (blacklist[i].set) { + default: + goto add_syscall; } - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, - seccomp_whitelist[i].priority); +add_syscall: + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; } diff --git a/vl.c b/vl.c index 8e247cc2a2..305531aba8 100644 --- a/vl.c +++ b/vl.c @@ -1030,7 +1030,6 @@ static int bt_parse(const char *opt) static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) { - /* FIXME: change this to true for 1.3 */ if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP if (seccomp_start() < 0) { -- 2.13.5 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo @ 2017-09-01 11:04 ` Daniel P. Berrange 0 siblings, 0 replies; 15+ messages in thread From: Daniel P. Berrange @ 2017-09-01 11:04 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 01, 2017 at 12:58:13PM +0200, Eduardo Otubo wrote: > This patch changes the default behavior of the seccomp filter from > whitelist to blacklist. By default now all system calls are allowed and > a small black list of definitely forbidden ones was created. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 2 + > qemu-seccomp.c | 264 ++++++----------------------------------------- > vl.c | 1 - > 3 files changed, 35 insertions(+), 232 deletions(-) > > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > index cfc06008cb..23b9c3c789 100644 > --- a/include/sysemu/seccomp.h > +++ b/include/sysemu/seccomp.h > + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { > + switch (blacklist[i].set) { > + default: > + goto add_syscall; This goto rule is pointless - just use 'break' > } > - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, > - seccomp_whitelist[i].priority); > +add_syscall: > + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); > if (rc < 0) { > goto seccomp_return; > } Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 15+ messages in thread
* [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo @ 2017-09-01 10:58 ` Eduardo Otubo 2017-09-01 11:05 ` Daniel P. Berrange 2017-09-07 9:57 ` Daniel P. Berrange 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges " Eduardo Otubo ` (4 subsequent siblings) 6 siblings, 2 replies; 15+ messages in thread From: Eduardo Otubo @ 2017-09-01 10:58 UTC (permalink / raw) To: qemu-devel; +Cc: berrange, thuth This patch introduces the argument [,obsolete=allow] to the `-sandbox on' option. It allows Qemu to run safely on old system that still relies on old system calls. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 3 ++- qemu-options.hx | 12 ++++++++++-- qemu-seccomp.c | 23 ++++++++++++++++++++++- vl.c | 22 +++++++++++++++++++++- 4 files changed, 55 insertions(+), 5 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 23b9c3c789..215138a372 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -16,8 +16,9 @@ #define QEMU_SECCOMP_H #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) +#define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #include <seccomp.h> -int seccomp_start(void); +int seccomp_start(uint32_t seccomp_opts); #endif diff --git a/qemu-options.hx b/qemu-options.hx index 9f6e2adfff..72150c6b84 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4017,13 +4017,21 @@ Old param mode (ARM only). ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox <arg> Enable seccomp mode 2 system call filter (default 'off').\n", + "-sandbox on[,obsolete=allow|deny]\n" \ + " Enable seccomp mode 2 system call filter (default 'off').\n" \ + " use 'obsolete' to allow obsolete system calls that are provided\n" \ + " by the kernel, but typically no longer used by modern\n" \ + " C library implementations.\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg} +@item -sandbox @var{arg}[,obsolete=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. +@table @option +@item obsolete=@var{string} +Enable Obsolete system calls +@end table ETEXI DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig, diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 585de42a97..3e3f15cc08 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -56,9 +56,22 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, + /* obsolete */ + { SCMP_SYS(readdir), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(_sysctl), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(bdflush), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(create_module), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(get_kernel_syms), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(query_module), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(sgetmask), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(ssetmask), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(sysfs), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(uselib), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(ustat), 2, QEMU_SECCOMP_SET_OBSOLETE }, }; -int seccomp_start(void) + +int seccomp_start(uint32_t seccomp_opts) { int rc = 0; unsigned int i = 0; @@ -72,6 +85,14 @@ int seccomp_start(void) for (i = 0; i < ARRAY_SIZE(blacklist); i++) { switch (blacklist[i].set) { + case QEMU_SECCOMP_SET_OBSOLETE: + if (!(seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { + goto add_syscall; + } else { + continue; + } + + break; default: goto add_syscall; } diff --git a/vl.c b/vl.c index 305531aba8..ca267f9918 100644 --- a/vl.c +++ b/vl.c @@ -271,6 +271,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "enable", .type = QEMU_OPT_BOOL, }, + { + .name = "obsolete", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1032,7 +1036,23 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) { if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP - if (seccomp_start() < 0) { + uint32_t seccomp_opts = 0x00000; + const char *value = NULL; + + value = qemu_opt_get(opts, "obsolete"); + if (value) { + if (strcmp(value, "allow") == 0) { + seccomp_opts |= QEMU_SECCOMP_SET_OBSOLETE; + } else if (strcmp(value, "deny")) { + /* this is the default option, this if is here + * to provide a little bit of consistency for + * the command line */ + } else { + error_report("invalid argument for obsolete"); + } + } + + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); return -1; -- 2.13.5 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line Eduardo Otubo @ 2017-09-01 11:05 ` Daniel P. Berrange 2017-09-07 9:31 ` Eduardo Otubo 2017-09-07 9:57 ` Daniel P. Berrange 1 sibling, 1 reply; 15+ messages in thread From: Daniel P. Berrange @ 2017-09-01 11:05 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 01, 2017 at 12:58:14PM +0200, Eduardo Otubo wrote: > This patch introduces the argument [,obsolete=allow] to the `-sandbox on' > option. It allows Qemu to run safely on old system that still relies on > old system calls. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 3 ++- > qemu-options.hx | 12 ++++++++++-- > qemu-seccomp.c | 23 ++++++++++++++++++++++- > vl.c | 22 +++++++++++++++++++++- > 4 files changed, 55 insertions(+), 5 deletions(-) > > @@ -72,6 +85,14 @@ int seccomp_start(void) > > for (i = 0; i < ARRAY_SIZE(blacklist); i++) { > switch (blacklist[i].set) { > + case QEMU_SECCOMP_SET_OBSOLETE: > + if (!(seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { > + goto add_syscall; > + } else { > + continue; > + } > + > + break; THis can be simplified: if ((seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { continue; } break; thus avoiding need to 'goto' Likewise for all following patches > default: > goto add_syscall; > } Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line 2017-09-01 11:05 ` Daniel P. Berrange @ 2017-09-07 9:31 ` Eduardo Otubo 2017-09-07 9:59 ` Daniel P. Berrange 0 siblings, 1 reply; 15+ messages in thread From: Eduardo Otubo @ 2017-09-07 9:31 UTC (permalink / raw) To: Daniel P. Berrange; +Cc: thuth, qemu-devel On Fri, Sep 01, 2017 at 12:05:41PM +0100, Daniel P. Berrange wrote: > On Fri, Sep 01, 2017 at 12:58:14PM +0200, Eduardo Otubo wrote: > > This patch introduces the argument [,obsolete=allow] to the `-sandbox on' > > option. It allows Qemu to run safely on old system that still relies on > > old system calls. > > > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > > --- > > include/sysemu/seccomp.h | 3 ++- > > qemu-options.hx | 12 ++++++++++-- > > qemu-seccomp.c | 23 ++++++++++++++++++++++- > > vl.c | 22 +++++++++++++++++++++- > > 4 files changed, 55 insertions(+), 5 deletions(-) > > > > > @@ -72,6 +85,14 @@ int seccomp_start(void) > > > > for (i = 0; i < ARRAY_SIZE(blacklist); i++) { > > switch (blacklist[i].set) { > > + case QEMU_SECCOMP_SET_OBSOLETE: > > + if (!(seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { > > + goto add_syscall; > > + } else { > > + continue; > > + } > > + > > + break; > > THis can be simplified: > > if ((seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { > continue; > } > > break; > > thus avoiding need to 'goto' > > Likewise for all following patches Do you think there's anything else to fix on this series? if nothing else emerges, I'll send the v5 tomorrow (also with the style fixes). -- Eduardo Otubo Senior Software Engineer @ RedHat ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line 2017-09-07 9:31 ` Eduardo Otubo @ 2017-09-07 9:59 ` Daniel P. Berrange 0 siblings, 0 replies; 15+ messages in thread From: Daniel P. Berrange @ 2017-09-07 9:59 UTC (permalink / raw) To: Eduardo Otubo; +Cc: thuth, qemu-devel On Thu, Sep 07, 2017 at 11:31:04AM +0200, Eduardo Otubo wrote: > On Fri, Sep 01, 2017 at 12:05:41PM +0100, Daniel P. Berrange wrote: > > On Fri, Sep 01, 2017 at 12:58:14PM +0200, Eduardo Otubo wrote: > > > This patch introduces the argument [,obsolete=allow] to the `-sandbox on' > > > option. It allows Qemu to run safely on old system that still relies on > > > old system calls. > > > > > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > > > --- > > > include/sysemu/seccomp.h | 3 ++- > > > qemu-options.hx | 12 ++++++++++-- > > > qemu-seccomp.c | 23 ++++++++++++++++++++++- > > > vl.c | 22 +++++++++++++++++++++- > > > 4 files changed, 55 insertions(+), 5 deletions(-) > > > > > > > > @@ -72,6 +85,14 @@ int seccomp_start(void) > > > > > > for (i = 0; i < ARRAY_SIZE(blacklist); i++) { > > > switch (blacklist[i].set) { > > > + case QEMU_SECCOMP_SET_OBSOLETE: > > > + if (!(seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { > > > + goto add_syscall; > > > + } else { > > > + continue; > > > + } > > > + > > > + break; > > > > THis can be simplified: > > > > if ((seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { > > continue; > > } > > > > break; > > > > thus avoiding need to 'goto' > > > > Likewise for all following patches > > Do you think there's anything else to fix on this series? if nothing > else emerges, I'll send the v5 tomorrow (also with the style fixes). I just sent one more comment, but apart from the that & the style fixes it looks good to me. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line Eduardo Otubo 2017-09-01 11:05 ` Daniel P. Berrange @ 2017-09-07 9:57 ` Daniel P. Berrange 1 sibling, 0 replies; 15+ messages in thread From: Daniel P. Berrange @ 2017-09-07 9:57 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 01, 2017 at 12:58:14PM +0200, Eduardo Otubo wrote: > This patch introduces the argument [,obsolete=allow] to the `-sandbox on' > option. It allows Qemu to run safely on old system that still relies on > old system calls. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 3 ++- > qemu-options.hx | 12 ++++++++++-- > qemu-seccomp.c | 23 ++++++++++++++++++++++- > vl.c | 22 +++++++++++++++++++++- > 4 files changed, 55 insertions(+), 5 deletions(-) > > @@ -1032,7 +1036,23 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) > { > if (qemu_opt_get_bool(opts, "enable", false)) { > #ifdef CONFIG_SECCOMP > - if (seccomp_start() < 0) { > + uint32_t seccomp_opts = 0x00000; > + const char *value = NULL; > + > + value = qemu_opt_get(opts, "obsolete"); > + if (value) { > + if (strcmp(value, "allow") == 0) { I would have a slight preference for g_str_equal(value, "allow") > + seccomp_opts |= QEMU_SECCOMP_SET_OBSOLETE; > + } else if (strcmp(value, "deny")) { and !g_str_equal(value, "deny") > + /* this is the default option, this if is here > + * to provide a little bit of consistency for > + * the command line */ > + } else { > + error_report("invalid argument for obsolete"); > + } There seem to be tabs for indent here too > + } > + > + if (seccomp_start(seccomp_opts) < 0) { > error_report("failed to install seccomp syscall filter " > "in the kernel"); > return -1; > -- > 2.13.5 > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 15+ messages in thread
* [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges argument to command line 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line Eduardo Otubo @ 2017-09-01 10:58 ` Eduardo Otubo 2017-09-07 9:58 ` Daniel P. Berrange 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn " Eduardo Otubo ` (3 subsequent siblings) 6 siblings, 1 reply; 15+ messages in thread From: Eduardo Otubo @ 2017-09-01 10:58 UTC (permalink / raw) To: qemu-devel; +Cc: berrange, thuth This patch introduces the new argument [,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows or denies Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls. The 'children' option will let forks and execves run unprivileged. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 12 +++++++++--- qemu-seccomp.c | 29 ++++++++++++++++++----------- vl.c | 27 +++++++++++++++++++++++++++ 4 files changed, 55 insertions(+), 14 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 215138a372..4a9e63c7cd 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -17,6 +17,7 @@ #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) +#define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) #include <seccomp.h> diff --git a/qemu-options.hx b/qemu-options.hx index 72150c6b84..5c1b163fb5 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4017,20 +4017,26 @@ Old param mode (ARM only). ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=allow|deny]\n" \ + "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ " Enable seccomp mode 2 system call filter (default 'off').\n" \ " use 'obsolete' to allow obsolete system calls that are provided\n" \ " by the kernel, but typically no longer used by modern\n" \ - " C library implementations.\n", + " C library implementations.\n" \ + " use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ + " its privileges by blacklisting all set*uid|gid system calls.\n" \ + " The value 'children' will deny set*uid|gid system calls for\n" \ + " main QEMU process but will allow forks and execves to run unprivileged\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=@var{string}] +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. @table @option @item obsolete=@var{string} Enable Obsolete system calls +@item elevateprivileges=@var{string} +Disable set*uid|gid system calls @end table ETEXI diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 3e3f15cc08..16c8c20132 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -57,17 +57,16 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, /* obsolete */ - { SCMP_SYS(readdir), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(_sysctl), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(bdflush), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(create_module), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(get_kernel_syms), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(query_module), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(sgetmask), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(ssetmask), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(sysfs), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(uselib), 2, QEMU_SECCOMP_SET_OBSOLETE }, - { SCMP_SYS(ustat), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(setuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setpgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setsid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setreuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setregid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setresuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, }; @@ -93,6 +92,14 @@ int seccomp_start(uint32_t seccomp_opts) } break; + case QEMU_SECCOMP_SET_PRIVILEGED: + if (seccomp_opts & QEMU_SECCOMP_SET_PRIVILEGED) { + goto add_syscall; + } else { + continue; + } + + break; default: goto add_syscall; } diff --git a/vl.c b/vl.c index ca267f9918..1d44b05772 100644 --- a/vl.c +++ b/vl.c @@ -29,6 +29,7 @@ #ifdef CONFIG_SECCOMP #include "sysemu/seccomp.h" +#include "sys/prctl.h" #endif #if defined(CONFIG_VDE) @@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "obsolete", .type = QEMU_OPT_STRING, }, + { + .name = "elevateprivileges", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1052,6 +1057,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } + value = qemu_opt_get(opts, "elevateprivileges"); + if (value) { + if (strcmp(value, "deny") == 0) { + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED; + } else if (strcmp(value, "children") == 0) { + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED; + + /* calling prctl directly because we're + * not sure if host has CAP_SYS_ADMIN set*/ + if (prctl(PR_SET_NO_NEW_PRIVS, 1)) { + error_report("failed to set no_new_privs " + "aborting"); + return -1; + } + } else if (strcmp(value, "allow") == 0) { + /* default value */ + } else { + error_report("invalid argument for elevateprivileges"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); -- 2.13.5 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges argument to command line 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges " Eduardo Otubo @ 2017-09-07 9:58 ` Daniel P. Berrange 0 siblings, 0 replies; 15+ messages in thread From: Daniel P. Berrange @ 2017-09-07 9:58 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 01, 2017 at 12:58:15PM +0200, Eduardo Otubo wrote: > This patch introduces the new argument > [,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows > or denies Qemu process to elevate its privileges by blacklisting all > set*uid|gid system calls. The 'children' option will let forks and > execves run unprivileged. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 12 +++++++++--- > qemu-seccomp.c | 29 ++++++++++++++++++----------- > vl.c | 27 +++++++++++++++++++++++++++ > 4 files changed, 55 insertions(+), 14 deletions(-) > diff --git a/vl.c b/vl.c > index ca267f9918..1d44b05772 100644 > --- a/vl.c > +++ b/vl.c > @@ -29,6 +29,7 @@ > > #ifdef CONFIG_SECCOMP > #include "sysemu/seccomp.h" > +#include "sys/prctl.h" > #endif > > #if defined(CONFIG_VDE) > @@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts = { > .name = "obsolete", > .type = QEMU_OPT_STRING, > }, > + { > + .name = "elevateprivileges", > + .type = QEMU_OPT_STRING, > + }, > { /* end of list */ } > }, > }; > @@ -1052,6 +1057,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) > } > } > > + value = qemu_opt_get(opts, "elevateprivileges"); > + if (value) { > + if (strcmp(value, "deny") == 0) { > + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED; > + } else if (strcmp(value, "children") == 0) { > + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED; > + > + /* calling prctl directly because we're > + * not sure if host has CAP_SYS_ADMIN set*/ > + if (prctl(PR_SET_NO_NEW_PRIVS, 1)) { > + error_report("failed to set no_new_privs " > + "aborting"); > + return -1; > + } > + } else if (strcmp(value, "allow") == 0) { > + /* default value */ Again slight preference for g_str_equal() in all these checks. > + } else { > + error_report("invalid argument for elevateprivileges"); > + return -1; > + } > + } > + > if (seccomp_start(seccomp_opts) < 0) { > error_report("failed to install seccomp syscall filter " > "in the kernel"); Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 15+ messages in thread
* [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn argument to command line 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo ` (2 preceding siblings ...) 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges " Eduardo Otubo @ 2017-09-01 10:58 ` Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol " Eduardo Otubo ` (2 subsequent siblings) 6 siblings, 0 replies; 15+ messages in thread From: Eduardo Otubo @ 2017-09-01 10:58 UTC (permalink / raw) To: qemu-devel; +Cc: berrange, thuth This patch adds [,spawn=deny] argument to `-sandbox on' option. It blacklists fork and execve system calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 9 +++++++-- qemu-seccomp.c | 12 ++++++++++++ vl.c | 16 ++++++++++++++++ 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 4a9e63c7cd..3ab5fc4f61 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -18,6 +18,7 @@ #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) #include <seccomp.h> diff --git a/qemu-options.hx b/qemu-options.hx index 5c1b163fb5..2b04b9f170 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4018,6 +4018,7 @@ ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ + " [,spawn=allow|deny]\n" \ " Enable seccomp mode 2 system call filter (default 'off').\n" \ " use 'obsolete' to allow obsolete system calls that are provided\n" \ " by the kernel, but typically no longer used by modern\n" \ @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ " use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ " its privileges by blacklisting all set*uid|gid system calls.\n" \ " The value 'children' will deny set*uid|gid system calls for\n" \ - " main QEMU process but will allow forks and execves to run unprivileged\n", + " main QEMU process but will allow forks and execves to run unprivileged\n" \ + " use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ + " blacklisting *fork and execve\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. Enable Obsolete system calls @item elevateprivileges=@var{string} Disable set*uid|gid system calls +@item spawn=@var{string} +Disable *fork and execve @end table ETEXI diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 16c8c20132..51754ace71 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -67,6 +67,10 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + /* spawn */ + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN }, }; @@ -100,6 +104,14 @@ int seccomp_start(uint32_t seccomp_opts) } break; + case QEMU_SECCOMP_SET_SPAWN: + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) { + goto add_syscall; + } else { + continue; + } + + break; default: goto add_syscall; } diff --git a/vl.c b/vl.c index 1d44b05772..8e6b252f8f 100644 --- a/vl.c +++ b/vl.c @@ -280,6 +280,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "elevateprivileges", .type = QEMU_OPT_STRING, }, + { + .name = "spawn", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1079,6 +1083,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } + value = qemu_opt_get(opts, "spawn"); + if (value) { + if (strcmp(value, "deny") == 0) { + seccomp_opts |= QEMU_SECCOMP_SET_SPAWN; + } else if (strcmp(value, "allow") == 0) { + /* default value */ + } else { + error_report("invalid argument for spawn"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); -- 2.13.5 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol argument to command line 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo ` (3 preceding siblings ...) 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn " Eduardo Otubo @ 2017-09-01 10:58 ` Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model Eduardo Otubo 2017-09-01 11:32 ` [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring no-reply 6 siblings, 0 replies; 15+ messages in thread From: Eduardo Otubo @ 2017-09-01 10:58 UTC (permalink / raw) To: qemu-devel; +Cc: berrange, thuth This patch adds [,resourcecontrol=deny] to `-sandbox on' option. It blacklists all process affinity and scheduler priority system calls to avoid any bigger of the process. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 9 ++++++--- qemu-seccomp.c | 19 +++++++++++++++++++ vl.c | 16 ++++++++++++++++ 4 files changed, 42 insertions(+), 3 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 3ab5fc4f61..e67c2dc840 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -19,6 +19,7 @@ #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) #define QEMU_SECCOMP_SET_SPAWN (1 << 3) +#define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4) #include <seccomp.h> diff --git a/qemu-options.hx b/qemu-options.hx index 2b04b9f170..600614f6e5 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4018,7 +4018,7 @@ ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ - " [,spawn=allow|deny]\n" \ + " [,spawn=allow|deny][,resourcecontrol=allow|deny]\n" \ " Enable seccomp mode 2 system call filter (default 'off').\n" \ " use 'obsolete' to allow obsolete system calls that are provided\n" \ " by the kernel, but typically no longer used by modern\n" \ @@ -4028,10 +4028,11 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ " The value 'children' will deny set*uid|gid system calls for\n" \ " main QEMU process but will allow forks and execves to run unprivileged\n" \ " use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ - " blacklisting *fork and execve\n", + " blacklisting *fork and execve\n" \ + " use 'resourcecontrol' to disable process affinity and schedular priority\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}][,resourcecontrol=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. @@ -4042,6 +4043,8 @@ Enable Obsolete system calls Disable set*uid|gid system calls @item spawn=@var{string} Disable *fork and execve +@item resourcecontrol=@var{string} +Disable process affinity and schedular priority @end table ETEXI diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 51754ace71..ae787a4312 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -71,6 +71,17 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN }, { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN }, { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN }, + /* resource control */ + { SCMP_SYS(getpriority), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(setpriority), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setparam), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getparam), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setscheduler), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getscheduler), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setaffinity), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getaffinity), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_get_priority_max),16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_get_priority_min),16, QEMU_SECCOMP_SET_RESOURCECTL }, }; @@ -112,6 +123,14 @@ int seccomp_start(uint32_t seccomp_opts) } break; + case QEMU_SECCOMP_SET_RESOURCECTL: + if (seccomp_opts & QEMU_SECCOMP_SET_RESOURCECTL) { + goto add_syscall; + } else { + continue; + } + + break; default: goto add_syscall; } diff --git a/vl.c b/vl.c index 8e6b252f8f..563e7206ac 100644 --- a/vl.c +++ b/vl.c @@ -284,6 +284,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "spawn", .type = QEMU_OPT_STRING, }, + { + .name = "resourcecontrol", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1095,6 +1099,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } + value = qemu_opt_get(opts, "resourcecontrol"); + if (value) { + if (strcmp(value, "deny") == 0) { + seccomp_opts |= QEMU_SECCOMP_SET_RESOURCECTL; + } else if (strcmp(value, "allow") == 0) { + /* default value */ + } else { + error_report("invalid argument for resourcecontrol"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); -- 2.13.5 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo ` (4 preceding siblings ...) 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol " Eduardo Otubo @ 2017-09-01 10:58 ` Eduardo Otubo 2017-09-01 11:03 ` Daniel P. Berrange 2017-09-01 11:32 ` [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring no-reply 6 siblings, 1 reply; 15+ messages in thread From: Eduardo Otubo @ 2017-09-01 10:58 UTC (permalink / raw) To: qemu-devel; +Cc: berrange, thuth Adding new documentation under docs/ to describe every one and each new option added by the refactoring patchset. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 docs/seccomp.txt diff --git a/docs/seccomp.txt b/docs/seccomp.txt new file mode 100644 index 0000000000..a5eca85a9b --- /dev/null +++ b/docs/seccomp.txt @@ -0,0 +1,31 @@ +QEMU Seccomp system call filter +=============================== + +Starting from QEMU version 2.11, the seccomp filter does not work as a +whitelist but as a blacklist instead. This method allows safer deploys since +only the strictly forbidden system calls will be black-listed and the +possibility of breaking any workload is close to zero. + +The default option (-sandbox on) has a slightly looser security though and the +reason is that it shouldn't break any backwards compatibility with previous +deploys and command lines already running. But if the intent is to have a +better security from this version on, one should make use of the following +additional options properly: + +* obsolete=allow|deny: It allows Qemu to run safely on old system that still + relies on old system calls. + +* elevateprivileges=allow|deny|children: It allows or denies Qemu process + to elevate its privileges by blacklisting all set*uid|gid system calls. The + 'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers + (forks and execs) to run unprivileged. + +* spawn=allow|deny: It blacklists fork and execve system calls, avoiding QEMU to + spawn new threads or processes. + +* resourcecontrol=allow|deny: It blacklists all process affinity and scheduler + priority system calls to avoid that the process can increase its amount of + allowed resource consumption. + +-- +Eduardo Otubo <otubo@redhat.com> -- 2.13.5 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model Eduardo Otubo @ 2017-09-01 11:03 ` Daniel P. Berrange 0 siblings, 0 replies; 15+ messages in thread From: Daniel P. Berrange @ 2017-09-01 11:03 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 01, 2017 at 12:58:18PM +0200, Eduardo Otubo wrote: > Adding new documentation under docs/ to describe every one and each new > option added by the refactoring patchset. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > create mode 100644 docs/seccomp.txt > > diff --git a/docs/seccomp.txt b/docs/seccomp.txt > new file mode 100644 > index 0000000000..a5eca85a9b > --- /dev/null > +++ b/docs/seccomp.txt > @@ -0,0 +1,31 @@ > +QEMU Seccomp system call filter > +=============================== > + > +Starting from QEMU version 2.11, the seccomp filter does not work as a > +whitelist but as a blacklist instead. This method allows safer deploys since > +only the strictly forbidden system calls will be black-listed and the > +possibility of breaking any workload is close to zero. > + > +The default option (-sandbox on) has a slightly looser security though and the > +reason is that it shouldn't break any backwards compatibility with previous > +deploys and command lines already running. But if the intent is to have a > +better security from this version on, one should make use of the following > +additional options properly: > + > +* obsolete=allow|deny: It allows Qemu to run safely on old system that still > + relies on old system calls. > + > +* elevateprivileges=allow|deny|children: It allows or denies Qemu process > + to elevate its privileges by blacklisting all set*uid|gid system calls. The > + 'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers > + (forks and execs) to run unprivileged. > + > +* spawn=allow|deny: It blacklists fork and execve system calls, avoiding QEMU to > + spawn new threads or processes. > + > +* resourcecontrol=allow|deny: It blacklists all process affinity and scheduler > + priority system calls to avoid that the process can increase its amount of > + allowed resource consumption. > + This ought to be part of qemu-options.hx so it makes it into the qemu docs & man page. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo ` (5 preceding siblings ...) 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model Eduardo Otubo @ 2017-09-01 11:32 ` no-reply 6 siblings, 0 replies; 15+ messages in thread From: no-reply @ 2017-09-01 11:32 UTC (permalink / raw) To: otubo; +Cc: famz, qemu-devel, thuth Hi, This series seems to have some coding style problems. See output below for more information: Message-id: 20170901105818.31956-1-otubo@redhat.com Subject: [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Type: series === TEST SCRIPT BEGIN === #!/bin/bash BASE=base n=1 total=$(git log --oneline $BASE.. | wc -l) failed=0 git config --local diff.renamelimit 0 git config --local diff.renames True commits="$(git log --format=%H --reverse $BASE..)" for c in $commits; do echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..." if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then failed=1 echo fi n=$((n+1)) done exit $failed === TEST SCRIPT END === Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384 Switched to a new branch 'test' b93c9e7648 seccomp: adding documentation to new seccomp model 19f0713063 seccomp: add resourcecontrol argument to command line 0d2a553bce seccomp: add spawn argument to command line 7899a23fb6 seccomp: add elevateprivileges argument to command line d43b3cbcf8 seccomp: add obsolete argument to command line 2765752f8e seccomp: changing from whitelist to blacklist === OUTPUT BEGIN === Checking PATCH 1/6: seccomp: changing from whitelist to blacklist... Checking PATCH 2/6: seccomp: add obsolete argument to command line... ERROR: code indent should never use tabs #128: FILE: vl.c:1048: +^I^I * to provide a little bit of consistency for$ ERROR: code indent should never use tabs #129: FILE: vl.c:1049: +^I^I * the command line */$ ERROR: code indent should never use tabs #130: FILE: vl.c:1050: +^I } else {$ ERROR: code indent should never use tabs #131: FILE: vl.c:1051: +^I^Ierror_report("invalid argument for obsolete");$ ERROR: code indent should never use tabs #132: FILE: vl.c:1052: +^I }$ total: 5 errors, 0 warnings, 104 lines checked Your patch has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. Checking PATCH 3/6: seccomp: add elevateprivileges argument to command line... Checking PATCH 4/6: seccomp: add spawn argument to command line... Checking PATCH 5/6: seccomp: add resourcecontrol argument to command line... ERROR: space required after that ',' (ctx:VxV) #78: FILE: qemu-seccomp.c:83: + { SCMP_SYS(sched_get_priority_max),16, QEMU_SECCOMP_SET_RESOURCECTL }, ^ ERROR: space required after that ',' (ctx:VxV) #79: FILE: qemu-seccomp.c:84: + { SCMP_SYS(sched_get_priority_min),16, QEMU_SECCOMP_SET_RESOURCECTL }, ^ ERROR: code indent should never use tabs #124: FILE: vl.c:1109: +^I^Ierror_report("invalid argument for resourcecontrol");$ ERROR: code indent should never use tabs #125: FILE: vl.c:1110: +^I^Ireturn -1;$ ERROR: code indent should never use tabs #126: FILE: vl.c:1111: +^I }$ total: 5 errors, 0 warnings, 95 lines checked Your patch has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. Checking PATCH 6/6: seccomp: adding documentation to new seccomp model... === OUTPUT END === Test command exited with code: 1 --- Email generated automatically by Patchew [http://patchew.org/]. Please send your feedback to patchew-devel@freelists.org ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2017-09-07 9:59 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-09-01 10:58 [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo 2017-09-01 11:04 ` Daniel P. Berrange 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 2/6] seccomp: add obsolete argument to command line Eduardo Otubo 2017-09-01 11:05 ` Daniel P. Berrange 2017-09-07 9:31 ` Eduardo Otubo 2017-09-07 9:59 ` Daniel P. Berrange 2017-09-07 9:57 ` Daniel P. Berrange 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges " Eduardo Otubo 2017-09-07 9:58 ` Daniel P. Berrange 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn " Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol " Eduardo Otubo 2017-09-01 10:58 ` [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model Eduardo Otubo 2017-09-01 11:03 ` Daniel P. Berrange 2017-09-01 11:32 ` [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring no-reply
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).