* [Qemu-devel] [PATCHv5 0/6] seccomp: feature refactoring
@ 2017-09-08 9:10 Eduardo Otubo
2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo
` (4 more replies)
0 siblings, 5 replies; 18+ messages in thread
From: Eduardo Otubo @ 2017-09-08 9:10 UTC (permalink / raw)
To: qemu-devel; +Cc: thuth, Daniel P . Berrange
v5:
* replaced strcmp by g_str_equal
* removed useless goto
* fixed style problems
v4:
* include another field on the struct for the modes
* remove priority
* fixed typos
* error handling for prctl
* add allow|deny values for all options
* error hanlding for wrong values for all options
* change how binary values are treated
* reformat help text
v3:
* Style problems fixed
v2:
* The semantics of the options "allow/deny" instead of booleans "on/off" remains.
* Added option 'children' to elevateprivileges
* Added documentation to docs/
v1:
* First version based on the discussion
https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03348.html
Eduardo Otubo (6):
seccomp: changing from whitelist to blacklist
seccomp: add obsolete argument to command line
seccomp: add elevateprivileges argument to command line
seccomp: add spawn argument to command line
seccomp: add resourcecontrol argument to command line
seccomp: adding documentation to new seccomp model
docs/seccomp.txt | 31 +++++
include/sysemu/seccomp.h | 8 +-
qemu-options.hx | 26 +++-
qemu-seccomp.c | 325 ++++++++++++++---------------------------------
vl.c | 82 +++++++++++-
5 files changed, 235 insertions(+), 237 deletions(-)
create mode 100644 docs/seccomp.txt
--
2.13.5
^ permalink raw reply [flat|nested] 18+ messages in thread* [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist 2017-09-08 9:10 [Qemu-devel] [PATCHv5 0/6] seccomp: feature refactoring Eduardo Otubo @ 2017-09-08 9:10 ` Eduardo Otubo 2017-09-08 9:31 ` Daniel P. Berrange 2017-09-08 9:43 ` Thomas Huth 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 2/5] seccomp: add obsolete argument to command line Eduardo Otubo ` (3 subsequent siblings) 4 siblings, 2 replies; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 9:10 UTC (permalink / raw) To: qemu-devel; +Cc: thuth, Daniel P . Berrange This patch changes the default behavior of the seccomp filter from whitelist to blacklist. By default now all system calls are allowed and a small black list of definitely forbidden ones was created. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 2 + qemu-seccomp.c | 264 ++++++----------------------------------------- vl.c | 1 - 3 files changed, 35 insertions(+), 232 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index cfc06008cb..23b9c3c789 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -15,6 +15,8 @@ #ifndef QEMU_SECCOMP_H #define QEMU_SECCOMP_H +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0) + #include <seccomp.h> int seccomp_start(void); diff --git a/qemu-seccomp.c b/qemu-seccomp.c index df75d9c471..bc9a1f77ff 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -28,232 +28,34 @@ struct QemuSeccompSyscall { int32_t num; - uint8_t priority; + int type; + uint8_t set; }; -static const struct QemuSeccompSyscall seccomp_whitelist[] = { - { SCMP_SYS(timer_settime), 255 }, - { SCMP_SYS(timer_gettime), 254 }, - { SCMP_SYS(futex), 253 }, - { SCMP_SYS(select), 252 }, - { SCMP_SYS(recvfrom), 251 }, - { SCMP_SYS(sendto), 250 }, - { SCMP_SYS(socketcall), 250 }, - { SCMP_SYS(read), 249 }, - { SCMP_SYS(io_submit), 249 }, - { SCMP_SYS(brk), 248 }, - { SCMP_SYS(clone), 247 }, - { SCMP_SYS(mmap), 247 }, - { SCMP_SYS(mprotect), 246 }, - { SCMP_SYS(execve), 245 }, - { SCMP_SYS(open), 245 }, - { SCMP_SYS(ioctl), 245 }, - { SCMP_SYS(socket), 245 }, - { SCMP_SYS(setsockopt), 245 }, - { SCMP_SYS(recvmsg), 245 }, - { SCMP_SYS(sendmsg), 245 }, - { SCMP_SYS(accept), 245 }, - { SCMP_SYS(connect), 245 }, - { SCMP_SYS(socketpair), 245 }, - { SCMP_SYS(bind), 245 }, - { SCMP_SYS(listen), 245 }, - { SCMP_SYS(semget), 245 }, - { SCMP_SYS(ipc), 245 }, - { SCMP_SYS(gettimeofday), 245 }, - { SCMP_SYS(readlink), 245 }, - { SCMP_SYS(access), 245 }, - { SCMP_SYS(prctl), 245 }, - { SCMP_SYS(signalfd), 245 }, - { SCMP_SYS(getrlimit), 245 }, - { SCMP_SYS(getrusage), 245 }, - { SCMP_SYS(set_tid_address), 245 }, - { SCMP_SYS(statfs), 245 }, - { SCMP_SYS(unlink), 245 }, - { SCMP_SYS(wait4), 245 }, - { SCMP_SYS(fcntl64), 245 }, - { SCMP_SYS(fstat64), 245 }, - { SCMP_SYS(stat64), 245 }, - { SCMP_SYS(getgid32), 245 }, - { SCMP_SYS(getegid32), 245 }, - { SCMP_SYS(getuid32), 245 }, - { SCMP_SYS(geteuid32), 245 }, - { SCMP_SYS(sigreturn), 245 }, - { SCMP_SYS(_newselect), 245 }, - { SCMP_SYS(_llseek), 245 }, - { SCMP_SYS(mmap2), 245 }, - { SCMP_SYS(sigprocmask), 245 }, - { SCMP_SYS(sched_getparam), 245 }, - { SCMP_SYS(sched_getscheduler), 245 }, - { SCMP_SYS(fstat), 245 }, - { SCMP_SYS(clock_getres), 245 }, - { SCMP_SYS(sched_get_priority_min), 245 }, - { SCMP_SYS(sched_get_priority_max), 245 }, - { SCMP_SYS(stat), 245 }, - { SCMP_SYS(uname), 245 }, - { SCMP_SYS(eventfd2), 245 }, - { SCMP_SYS(io_getevents), 245 }, - { SCMP_SYS(dup), 245 }, - { SCMP_SYS(dup2), 245 }, - { SCMP_SYS(dup3), 245 }, - { SCMP_SYS(gettid), 245 }, - { SCMP_SYS(getgid), 245 }, - { SCMP_SYS(getegid), 245 }, - { SCMP_SYS(getuid), 245 }, - { SCMP_SYS(geteuid), 245 }, - { SCMP_SYS(timer_create), 245 }, - { SCMP_SYS(times), 245 }, - { SCMP_SYS(exit), 245 }, - { SCMP_SYS(clock_gettime), 245 }, - { SCMP_SYS(time), 245 }, - { SCMP_SYS(restart_syscall), 245 }, - { SCMP_SYS(pwrite64), 245 }, - { SCMP_SYS(nanosleep), 245 }, - { SCMP_SYS(chown), 245 }, - { SCMP_SYS(openat), 245 }, - { SCMP_SYS(getdents), 245 }, - { SCMP_SYS(timer_delete), 245 }, - { SCMP_SYS(exit_group), 245 }, - { SCMP_SYS(rt_sigreturn), 245 }, - { SCMP_SYS(sync), 245 }, - { SCMP_SYS(pread64), 245 }, - { SCMP_SYS(madvise), 245 }, - { SCMP_SYS(set_robust_list), 245 }, - { SCMP_SYS(lseek), 245 }, - { SCMP_SYS(pselect6), 245 }, - { SCMP_SYS(fork), 245 }, - { SCMP_SYS(rt_sigprocmask), 245 }, - { SCMP_SYS(write), 244 }, - { SCMP_SYS(fcntl), 243 }, - { SCMP_SYS(tgkill), 242 }, - { SCMP_SYS(kill), 242 }, - { SCMP_SYS(rt_sigaction), 242 }, - { SCMP_SYS(pipe2), 242 }, - { SCMP_SYS(munmap), 242 }, - { SCMP_SYS(mremap), 242 }, - { SCMP_SYS(fdatasync), 242 }, - { SCMP_SYS(close), 242 }, - { SCMP_SYS(rt_sigpending), 242 }, - { SCMP_SYS(rt_sigtimedwait), 242 }, - { SCMP_SYS(readv), 242 }, - { SCMP_SYS(writev), 242 }, - { SCMP_SYS(preadv), 242 }, - { SCMP_SYS(pwritev), 242 }, - { SCMP_SYS(setrlimit), 242 }, - { SCMP_SYS(ftruncate), 242 }, - { SCMP_SYS(lstat), 242 }, - { SCMP_SYS(pipe), 242 }, - { SCMP_SYS(umask), 242 }, - { SCMP_SYS(chdir), 242 }, - { SCMP_SYS(setitimer), 242 }, - { SCMP_SYS(setsid), 242 }, - { SCMP_SYS(poll), 242 }, - { SCMP_SYS(epoll_create), 242 }, - { SCMP_SYS(epoll_ctl), 242 }, - { SCMP_SYS(epoll_wait), 242 }, - { SCMP_SYS(waitpid), 242 }, - { SCMP_SYS(getsockname), 242 }, - { SCMP_SYS(getpeername), 242 }, - { SCMP_SYS(accept4), 242 }, - { SCMP_SYS(timerfd_settime), 242 }, - { SCMP_SYS(newfstatat), 241 }, - { SCMP_SYS(shutdown), 241 }, - { SCMP_SYS(getsockopt), 241 }, - { SCMP_SYS(semop), 241 }, - { SCMP_SYS(semtimedop), 241 }, - { SCMP_SYS(epoll_ctl_old), 241 }, - { SCMP_SYS(epoll_wait_old), 241 }, - { SCMP_SYS(epoll_pwait), 241 }, - { SCMP_SYS(epoll_create1), 241 }, - { SCMP_SYS(ppoll), 241 }, - { SCMP_SYS(creat), 241 }, - { SCMP_SYS(link), 241 }, - { SCMP_SYS(getpid), 241 }, - { SCMP_SYS(getppid), 241 }, - { SCMP_SYS(getpgrp), 241 }, - { SCMP_SYS(getpgid), 241 }, - { SCMP_SYS(getsid), 241 }, - { SCMP_SYS(getdents64), 241 }, - { SCMP_SYS(getresuid), 241 }, - { SCMP_SYS(getresgid), 241 }, - { SCMP_SYS(getgroups), 241 }, - { SCMP_SYS(getresuid32), 241 }, - { SCMP_SYS(getresgid32), 241 }, - { SCMP_SYS(getgroups32), 241 }, - { SCMP_SYS(signal), 241 }, - { SCMP_SYS(sigaction), 241 }, - { SCMP_SYS(sigsuspend), 241 }, - { SCMP_SYS(sigpending), 241 }, - { SCMP_SYS(truncate64), 241 }, - { SCMP_SYS(ftruncate64), 241 }, - { SCMP_SYS(fchown32), 241 }, - { SCMP_SYS(chown32), 241 }, - { SCMP_SYS(lchown32), 241 }, - { SCMP_SYS(statfs64), 241 }, - { SCMP_SYS(fstatfs64), 241 }, - { SCMP_SYS(fstatat64), 241 }, - { SCMP_SYS(lstat64), 241 }, - { SCMP_SYS(sendfile64), 241 }, - { SCMP_SYS(ugetrlimit), 241 }, - { SCMP_SYS(alarm), 241 }, - { SCMP_SYS(rt_sigsuspend), 241 }, - { SCMP_SYS(rt_sigqueueinfo), 241 }, - { SCMP_SYS(rt_tgsigqueueinfo), 241 }, - { SCMP_SYS(sigaltstack), 241 }, - { SCMP_SYS(signalfd4), 241 }, - { SCMP_SYS(truncate), 241 }, - { SCMP_SYS(fchown), 241 }, - { SCMP_SYS(lchown), 241 }, - { SCMP_SYS(fchownat), 241 }, - { SCMP_SYS(fstatfs), 241 }, - { SCMP_SYS(getitimer), 241 }, - { SCMP_SYS(syncfs), 241 }, - { SCMP_SYS(fsync), 241 }, - { SCMP_SYS(fchdir), 241 }, - { SCMP_SYS(msync), 241 }, - { SCMP_SYS(sched_setparam), 241 }, - { SCMP_SYS(sched_setscheduler), 241 }, - { SCMP_SYS(sched_yield), 241 }, - { SCMP_SYS(sched_rr_get_interval), 241 }, - { SCMP_SYS(sched_setaffinity), 241 }, - { SCMP_SYS(sched_getaffinity), 241 }, - { SCMP_SYS(readahead), 241 }, - { SCMP_SYS(timer_getoverrun), 241 }, - { SCMP_SYS(unlinkat), 241 }, - { SCMP_SYS(readlinkat), 241 }, - { SCMP_SYS(faccessat), 241 }, - { SCMP_SYS(get_robust_list), 241 }, - { SCMP_SYS(splice), 241 }, - { SCMP_SYS(vmsplice), 241 }, - { SCMP_SYS(getcpu), 241 }, - { SCMP_SYS(sendmmsg), 241 }, - { SCMP_SYS(recvmmsg), 241 }, - { SCMP_SYS(prlimit64), 241 }, - { SCMP_SYS(waitid), 241 }, - { SCMP_SYS(io_cancel), 241 }, - { SCMP_SYS(io_setup), 241 }, - { SCMP_SYS(io_destroy), 241 }, - { SCMP_SYS(arch_prctl), 240 }, - { SCMP_SYS(mkdir), 240 }, - { SCMP_SYS(fchmod), 240 }, - { SCMP_SYS(shmget), 240 }, - { SCMP_SYS(shmat), 240 }, - { SCMP_SYS(shmdt), 240 }, - { SCMP_SYS(timerfd_create), 240 }, - { SCMP_SYS(shmctl), 240 }, - { SCMP_SYS(mlockall), 240 }, - { SCMP_SYS(mlock), 240 }, - { SCMP_SYS(munlock), 240 }, - { SCMP_SYS(semctl), 240 }, - { SCMP_SYS(fallocate), 240 }, - { SCMP_SYS(fadvise64), 240 }, - { SCMP_SYS(inotify_init1), 240 }, - { SCMP_SYS(inotify_add_watch), 240 }, - { SCMP_SYS(mbind), 240 }, - { SCMP_SYS(memfd_create), 240 }, -#ifdef HAVE_CACHEFLUSH - { SCMP_SYS(cacheflush), 240 }, -#endif - { SCMP_SYS(sysinfo), 240 }, +static const struct QemuSeccompSyscall blacklist[] = { + /* default set of syscalls to blacklist */ + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, }; int seccomp_start(void) @@ -262,19 +64,19 @@ int seccomp_start(void) unsigned int i = 0; scmp_filter_ctx ctx; - ctx = seccomp_init(SCMP_ACT_KILL); + ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) { rc = -1; goto seccomp_return; } - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); - if (rc < 0) { - goto seccomp_return; + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { + switch (blacklist[i].set) { + default: + break; } - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, - seccomp_whitelist[i].priority); + + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; } diff --git a/vl.c b/vl.c index fb1f05b937..76e0b3a946 100644 --- a/vl.c +++ b/vl.c @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt) static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) { - /* FIXME: change this to true for 1.3 */ if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP if (seccomp_start() < 0) { -- 2.13.5 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo @ 2017-09-08 9:31 ` Daniel P. Berrange 2017-09-08 9:43 ` Thomas Huth 1 sibling, 0 replies; 18+ messages in thread From: Daniel P. Berrange @ 2017-09-08 9:31 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 08, 2017 at 11:10:23AM +0200, Eduardo Otubo wrote: > This patch changes the default behavior of the seccomp filter from > whitelist to blacklist. By default now all system calls are allowed and > a small black list of definitely forbidden ones was created. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 2 + > qemu-seccomp.c | 264 ++++++----------------------------------------- > vl.c | 1 - > 3 files changed, 35 insertions(+), 232 deletions(-) Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo 2017-09-08 9:31 ` Daniel P. Berrange @ 2017-09-08 9:43 ` Thomas Huth 2017-09-08 9:50 ` Eduardo Otubo 1 sibling, 1 reply; 18+ messages in thread From: Thomas Huth @ 2017-09-08 9:43 UTC (permalink / raw) To: Eduardo Otubo, qemu-devel On 08.09.2017 11:10, Eduardo Otubo wrote: > This patch changes the default behavior of the seccomp filter from > whitelist to blacklist. By default now all system calls are allowed and > a small black list of definitely forbidden ones was created. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 2 + > qemu-seccomp.c | 264 ++++++----------------------------------------- > vl.c | 1 - > 3 files changed, 35 insertions(+), 232 deletions(-) > > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > index cfc06008cb..23b9c3c789 100644 > --- a/include/sysemu/seccomp.h > +++ b/include/sysemu/seccomp.h > @@ -15,6 +15,8 @@ > #ifndef QEMU_SECCOMP_H > #define QEMU_SECCOMP_H > > +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0) > + > #include <seccomp.h> > > int seccomp_start(void); > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index df75d9c471..bc9a1f77ff 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -28,232 +28,34 @@ > > struct QemuSeccompSyscall { > int32_t num; > - uint8_t priority; > + int type; What's this "type" field good for? I failed to spot the place in the sources where you are using it...? Anyway, some comments here right after the struct members would be useful. Thomas > + uint8_t set; > }; > > -static const struct QemuSeccompSyscall seccomp_whitelist[] = { > - { SCMP_SYS(timer_settime), 255 }, [...] > - { SCMP_SYS(memfd_create), 240 }, > -#ifdef HAVE_CACHEFLUSH > - { SCMP_SYS(cacheflush), 240 }, > -#endif > - { SCMP_SYS(sysinfo), 240 }, > +static const struct QemuSeccompSyscall blacklist[] = { > + /* default set of syscalls to blacklist */ > + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, > + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, > }; > > int seccomp_start(void) > @@ -262,19 +64,19 @@ int seccomp_start(void) > unsigned int i = 0; > scmp_filter_ctx ctx; > > - ctx = seccomp_init(SCMP_ACT_KILL); > + ctx = seccomp_init(SCMP_ACT_ALLOW); > if (ctx == NULL) { > rc = -1; > goto seccomp_return; > } > > - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { > - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); > - if (rc < 0) { > - goto seccomp_return; > + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { > + switch (blacklist[i].set) { > + default: > + break; > } > - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, > - seccomp_whitelist[i].priority); > + > + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); > if (rc < 0) { > goto seccomp_return; > } > diff --git a/vl.c b/vl.c > index fb1f05b937..76e0b3a946 100644 > --- a/vl.c > +++ b/vl.c > @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt) > > static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) > { > - /* FIXME: change this to true for 1.3 */ > if (qemu_opt_get_bool(opts, "enable", false)) { > #ifdef CONFIG_SECCOMP > if (seccomp_start() < 0) { > ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist 2017-09-08 9:43 ` Thomas Huth @ 2017-09-08 9:50 ` Eduardo Otubo 2017-09-08 9:52 ` Thomas Huth 0 siblings, 1 reply; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 9:50 UTC (permalink / raw) To: Thomas Huth; +Cc: qemu-devel On Fri, Sep 08, 2017 at 11:43:27AM +0200, Thomas Huth wrote: > On 08.09.2017 11:10, Eduardo Otubo wrote: > > This patch changes the default behavior of the seccomp filter from > > whitelist to blacklist. By default now all system calls are allowed and > > a small black list of definitely forbidden ones was created. > > > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > > --- > > include/sysemu/seccomp.h | 2 + > > qemu-seccomp.c | 264 ++++++----------------------------------------- > > vl.c | 1 - > > 3 files changed, 35 insertions(+), 232 deletions(-) > > > > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > > index cfc06008cb..23b9c3c789 100644 > > --- a/include/sysemu/seccomp.h > > +++ b/include/sysemu/seccomp.h > > @@ -15,6 +15,8 @@ > > #ifndef QEMU_SECCOMP_H > > #define QEMU_SECCOMP_H > > > > +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0) > > + > > #include <seccomp.h> > > > > int seccomp_start(void); > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > > index df75d9c471..bc9a1f77ff 100644 > > --- a/qemu-seccomp.c > > +++ b/qemu-seccomp.c > > @@ -28,232 +28,34 @@ > > > > struct QemuSeccompSyscall { > > int32_t num; > > - uint8_t priority; > > + int type; > > What's this "type" field good for? I failed to spot the place in the > sources where you are using it...? Anyway, some comments here right > after the struct members would be useful. The type is exactly the type of the system call on the blacklist array below. Being QEMU_SECCOMP_SET_DEFAULT, QEMU_SECCOMP_SET_OBSOLETE, etc. Do you think comments here worth a full v6? > > Thomas > > > + uint8_t set; > > }; > > > > -static const struct QemuSeccompSyscall seccomp_whitelist[] = { > > - { SCMP_SYS(timer_settime), 255 }, > [...] > > - { SCMP_SYS(memfd_create), 240 }, > > -#ifdef HAVE_CACHEFLUSH > > - { SCMP_SYS(cacheflush), 240 }, > > -#endif > > - { SCMP_SYS(sysinfo), 240 }, > > +static const struct QemuSeccompSyscall blacklist[] = { > > + /* default set of syscalls to blacklist */ > > + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, > > + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, > > }; > > > > int seccomp_start(void) > > @@ -262,19 +64,19 @@ int seccomp_start(void) > > unsigned int i = 0; > > scmp_filter_ctx ctx; > > > > - ctx = seccomp_init(SCMP_ACT_KILL); > > + ctx = seccomp_init(SCMP_ACT_ALLOW); > > if (ctx == NULL) { > > rc = -1; > > goto seccomp_return; > > } > > > > - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { > > - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); > > - if (rc < 0) { > > - goto seccomp_return; > > + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { > > + switch (blacklist[i].set) { > > + default: > > + break; > > } > > - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, > > - seccomp_whitelist[i].priority); > > + > > + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); > > if (rc < 0) { > > goto seccomp_return; > > } > > diff --git a/vl.c b/vl.c > > index fb1f05b937..76e0b3a946 100644 > > --- a/vl.c > > +++ b/vl.c > > @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt) > > > > static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) > > { > > - /* FIXME: change this to true for 1.3 */ > > if (qemu_opt_get_bool(opts, "enable", false)) { > > #ifdef CONFIG_SECCOMP > > if (seccomp_start() < 0) { > > > > -- Eduardo Otubo Senior Software Engineer @ RedHat ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist 2017-09-08 9:50 ` Eduardo Otubo @ 2017-09-08 9:52 ` Thomas Huth 2017-09-08 10:57 ` Eduardo Otubo 0 siblings, 1 reply; 18+ messages in thread From: Thomas Huth @ 2017-09-08 9:52 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel On 08.09.2017 11:50, Eduardo Otubo wrote: > On Fri, Sep 08, 2017 at 11:43:27AM +0200, Thomas Huth wrote: >> On 08.09.2017 11:10, Eduardo Otubo wrote: >>> This patch changes the default behavior of the seccomp filter from >>> whitelist to blacklist. By default now all system calls are allowed and >>> a small black list of definitely forbidden ones was created. >>> >>> Signed-off-by: Eduardo Otubo <otubo@redhat.com> >>> --- >>> include/sysemu/seccomp.h | 2 + >>> qemu-seccomp.c | 264 ++++++----------------------------------------- >>> vl.c | 1 - >>> 3 files changed, 35 insertions(+), 232 deletions(-) >>> >>> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h >>> index cfc06008cb..23b9c3c789 100644 >>> --- a/include/sysemu/seccomp.h >>> +++ b/include/sysemu/seccomp.h >>> @@ -15,6 +15,8 @@ >>> #ifndef QEMU_SECCOMP_H >>> #define QEMU_SECCOMP_H >>> >>> +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0) >>> + >>> #include <seccomp.h> >>> >>> int seccomp_start(void); >>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c >>> index df75d9c471..bc9a1f77ff 100644 >>> --- a/qemu-seccomp.c >>> +++ b/qemu-seccomp.c >>> @@ -28,232 +28,34 @@ >>> >>> struct QemuSeccompSyscall { >>> int32_t num; >>> - uint8_t priority; >>> + int type; >> >> What's this "type" field good for? I failed to spot the place in the >> sources where you are using it...? Anyway, some comments here right >> after the struct members would be useful. > > The type is exactly the type of the system call on the blacklist array > below. Being QEMU_SECCOMP_SET_DEFAULT, QEMU_SECCOMP_SET_OBSOLETE, etc. Sorry, I still do not understand. If that's the case, what's the difference between the "type" field and the "set" field? Where do you use the "type" field? Thomas >>> + uint8_t set; >>> }; >>> >>> -static const struct QemuSeccompSyscall seccomp_whitelist[] = { >>> - { SCMP_SYS(timer_settime), 255 }, >> [...] >>> - { SCMP_SYS(memfd_create), 240 }, >>> -#ifdef HAVE_CACHEFLUSH >>> - { SCMP_SYS(cacheflush), 240 }, >>> -#endif >>> - { SCMP_SYS(sysinfo), 240 }, >>> +static const struct QemuSeccompSyscall blacklist[] = { >>> + /* default set of syscalls to blacklist */ >>> + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, >>> }; >>> >>> int seccomp_start(void) >>> @@ -262,19 +64,19 @@ int seccomp_start(void) >>> unsigned int i = 0; >>> scmp_filter_ctx ctx; >>> >>> - ctx = seccomp_init(SCMP_ACT_KILL); >>> + ctx = seccomp_init(SCMP_ACT_ALLOW); >>> if (ctx == NULL) { >>> rc = -1; >>> goto seccomp_return; >>> } >>> >>> - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { >>> - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); >>> - if (rc < 0) { >>> - goto seccomp_return; >>> + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { >>> + switch (blacklist[i].set) { >>> + default: >>> + break; >>> } >>> - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, >>> - seccomp_whitelist[i].priority); >>> + >>> + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); >>> if (rc < 0) { >>> goto seccomp_return; >>> } >>> diff --git a/vl.c b/vl.c >>> index fb1f05b937..76e0b3a946 100644 >>> --- a/vl.c >>> +++ b/vl.c >>> @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt) >>> >>> static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) >>> { >>> - /* FIXME: change this to true for 1.3 */ >>> if (qemu_opt_get_bool(opts, "enable", false)) { >>> #ifdef CONFIG_SECCOMP >>> if (seccomp_start() < 0) { >>> >> >> > ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist 2017-09-08 9:52 ` Thomas Huth @ 2017-09-08 10:57 ` Eduardo Otubo 0 siblings, 0 replies; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 10:57 UTC (permalink / raw) To: Thomas Huth; +Cc: qemu-devel On Fri, Sep 08, 2017 at 11:52:42AM +0200, Thomas Huth wrote: > On 08.09.2017 11:50, Eduardo Otubo wrote: > > On Fri, Sep 08, 2017 at 11:43:27AM +0200, Thomas Huth wrote: > >> On 08.09.2017 11:10, Eduardo Otubo wrote: > >>> This patch changes the default behavior of the seccomp filter from > >>> whitelist to blacklist. By default now all system calls are allowed and > >>> a small black list of definitely forbidden ones was created. > >>> > >>> Signed-off-by: Eduardo Otubo <otubo@redhat.com> > >>> --- > >>> include/sysemu/seccomp.h | 2 + > >>> qemu-seccomp.c | 264 ++++++----------------------------------------- > >>> vl.c | 1 - > >>> 3 files changed, 35 insertions(+), 232 deletions(-) > >>> > >>> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > >>> index cfc06008cb..23b9c3c789 100644 > >>> --- a/include/sysemu/seccomp.h > >>> +++ b/include/sysemu/seccomp.h > >>> @@ -15,6 +15,8 @@ > >>> #ifndef QEMU_SECCOMP_H > >>> #define QEMU_SECCOMP_H > >>> > >>> +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0) > >>> + > >>> #include <seccomp.h> > >>> > >>> int seccomp_start(void); > >>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c > >>> index df75d9c471..bc9a1f77ff 100644 > >>> --- a/qemu-seccomp.c > >>> +++ b/qemu-seccomp.c > >>> @@ -28,232 +28,34 @@ > >>> > >>> struct QemuSeccompSyscall { > >>> int32_t num; > >>> - uint8_t priority; > >>> + int type; > >> > >> What's this "type" field good for? I failed to spot the place in the > >> sources where you are using it...? Anyway, some comments here right > >> after the struct members would be useful. > > > > The type is exactly the type of the system call on the blacklist array > > below. Being QEMU_SECCOMP_SET_DEFAULT, QEMU_SECCOMP_SET_OBSOLETE, etc. > > Sorry, I still do not understand. If that's the case, what's the > difference between the "type" field and the "set" field? Where do you > use the "type" field? HARGH, sorry. Perhaps I was debugging tis for too long and didn't notice it. This was for debug purposes only. I'll remove and resend. Thanks for spotting this. > >>> + uint8_t set; > >>> }; > >>> > >>> -static const struct QemuSeccompSyscall seccomp_whitelist[] = { > >>> - { SCMP_SYS(timer_settime), 255 }, > >> [...] > >>> - { SCMP_SYS(memfd_create), 240 }, > >>> -#ifdef HAVE_CACHEFLUSH > >>> - { SCMP_SYS(cacheflush), 240 }, > >>> -#endif > >>> - { SCMP_SYS(sysinfo), 240 }, > >>> +static const struct QemuSeccompSyscall blacklist[] = { > >>> + /* default set of syscalls to blacklist */ > >>> + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, > >>> }; > >>> > >>> int seccomp_start(void) > >>> @@ -262,19 +64,19 @@ int seccomp_start(void) > >>> unsigned int i = 0; > >>> scmp_filter_ctx ctx; > >>> > >>> - ctx = seccomp_init(SCMP_ACT_KILL); > >>> + ctx = seccomp_init(SCMP_ACT_ALLOW); > >>> if (ctx == NULL) { > >>> rc = -1; > >>> goto seccomp_return; > >>> } > >>> > >>> - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { > >>> - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); > >>> - if (rc < 0) { > >>> - goto seccomp_return; > >>> + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { > >>> + switch (blacklist[i].set) { > >>> + default: > >>> + break; > >>> } > >>> - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, > >>> - seccomp_whitelist[i].priority); > >>> + > >>> + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); > >>> if (rc < 0) { > >>> goto seccomp_return; > >>> } > >>> diff --git a/vl.c b/vl.c > >>> index fb1f05b937..76e0b3a946 100644 > >>> --- a/vl.c > >>> +++ b/vl.c > >>> @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt) > >>> > >>> static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) > >>> { > >>> - /* FIXME: change this to true for 1.3 */ > >>> if (qemu_opt_get_bool(opts, "enable", false)) { > >>> #ifdef CONFIG_SECCOMP > >>> if (seccomp_start() < 0) { > >>> > >> > >> > > > -- Eduardo Otubo Senior Software Engineer @ RedHat ^ permalink raw reply [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv5 2/5] seccomp: add obsolete argument to command line 2017-09-08 9:10 [Qemu-devel] [PATCHv5 0/6] seccomp: feature refactoring Eduardo Otubo 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo @ 2017-09-08 9:10 ` Eduardo Otubo 2017-09-08 9:31 ` Daniel P. Berrange 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 3/5] seccomp: add elevateprivileges " Eduardo Otubo ` (2 subsequent siblings) 4 siblings, 1 reply; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 9:10 UTC (permalink / raw) To: qemu-devel; +Cc: thuth, Daniel P . Berrange This patch introduces the argument [,obsolete=allow] to the `-sandbox on' option. It allows Qemu to run safely on old system that still relies on old system calls. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 3 ++- qemu-options.hx | 12 ++++++++++-- qemu-seccomp.c | 20 +++++++++++++++++++- vl.c | 22 +++++++++++++++++++++- 4 files changed, 52 insertions(+), 5 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 23b9c3c789..215138a372 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -16,8 +16,9 @@ #define QEMU_SECCOMP_H #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) +#define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #include <seccomp.h> -int seccomp_start(void); +int seccomp_start(uint32_t seccomp_opts); #endif diff --git a/qemu-options.hx b/qemu-options.hx index 9f6e2adfff..72150c6b84 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4017,13 +4017,21 @@ Old param mode (ARM only). ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox <arg> Enable seccomp mode 2 system call filter (default 'off').\n", + "-sandbox on[,obsolete=allow|deny]\n" \ + " Enable seccomp mode 2 system call filter (default 'off').\n" \ + " use 'obsolete' to allow obsolete system calls that are provided\n" \ + " by the kernel, but typically no longer used by modern\n" \ + " C library implementations.\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg} +@item -sandbox @var{arg}[,obsolete=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. +@table @option +@item obsolete=@var{string} +Enable Obsolete system calls +@end table ETEXI DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig, diff --git a/qemu-seccomp.c b/qemu-seccomp.c index bc9a1f77ff..126e5ee2d5 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -56,9 +56,22 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT }, { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT }, { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT }, + /* obsolete */ + { SCMP_SYS(readdir), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(_sysctl), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(bdflush), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(create_module), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(get_kernel_syms), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(query_module), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(sgetmask), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(ssetmask), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(sysfs), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(uselib), 2, QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(ustat), 2, QEMU_SECCOMP_SET_OBSOLETE }, }; -int seccomp_start(void) + +int seccomp_start(uint32_t seccomp_opts) { int rc = 0; unsigned int i = 0; @@ -72,6 +85,11 @@ int seccomp_start(void) for (i = 0; i < ARRAY_SIZE(blacklist); i++) { switch (blacklist[i].set) { + case QEMU_SECCOMP_SET_OBSOLETE: + if ((seccomp_opts & QEMU_SECCOMP_SET_OBSOLETE)) { + continue; + } + break; default: break; } diff --git a/vl.c b/vl.c index 76e0b3a946..dafbe30e2b 100644 --- a/vl.c +++ b/vl.c @@ -271,6 +271,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "enable", .type = QEMU_OPT_BOOL, }, + { + .name = "obsolete", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1034,7 +1038,23 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) { if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP - if (seccomp_start() < 0) { + uint32_t seccomp_opts = 0x00000; + const char *value = NULL; + + value = qemu_opt_get(opts, "obsolete"); + if (value) { + if (g_str_equal(value, "allow")) { + seccomp_opts |= QEMU_SECCOMP_SET_OBSOLETE; + } else if (g_str_equal(value, "deny")) { + /* this is the default option, this if is here + * to provide a little bit of consistency for + * the command line */ + } else { + error_report("invalid argument for obsolete"); + } + } + + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); return -1; -- 2.13.5 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 2/5] seccomp: add obsolete argument to command line 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 2/5] seccomp: add obsolete argument to command line Eduardo Otubo @ 2017-09-08 9:31 ` Daniel P. Berrange 0 siblings, 0 replies; 18+ messages in thread From: Daniel P. Berrange @ 2017-09-08 9:31 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 08, 2017 at 11:10:24AM +0200, Eduardo Otubo wrote: > This patch introduces the argument [,obsolete=allow] to the `-sandbox on' > option. It allows Qemu to run safely on old system that still relies on > old system calls. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 3 ++- > qemu-options.hx | 12 ++++++++++-- > qemu-seccomp.c | 20 +++++++++++++++++++- > vl.c | 22 +++++++++++++++++++++- > 4 files changed, 52 insertions(+), 5 deletions(-) Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv5 3/5] seccomp: add elevateprivileges argument to command line 2017-09-08 9:10 [Qemu-devel] [PATCHv5 0/6] seccomp: feature refactoring Eduardo Otubo 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 2/5] seccomp: add obsolete argument to command line Eduardo Otubo @ 2017-09-08 9:10 ` Eduardo Otubo 2017-09-08 9:32 ` Daniel P. Berrange 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn " Eduardo Otubo 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 5/5] seccomp: add resourcecontrol " Eduardo Otubo 4 siblings, 1 reply; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 9:10 UTC (permalink / raw) To: qemu-devel; +Cc: thuth, Daniel P . Berrange This patch introduces the new argument [,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows or denies Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls. The 'children' option will let forks and execves run unprivileged. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 12 +++++++++--- qemu-seccomp.c | 19 +++++++++++++++++++ vl.c | 27 +++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 3 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 215138a372..4a9e63c7cd 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -17,6 +17,7 @@ #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) +#define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) #include <seccomp.h> diff --git a/qemu-options.hx b/qemu-options.hx index 72150c6b84..5c1b163fb5 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4017,20 +4017,26 @@ Old param mode (ARM only). ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=allow|deny]\n" \ + "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ " Enable seccomp mode 2 system call filter (default 'off').\n" \ " use 'obsolete' to allow obsolete system calls that are provided\n" \ " by the kernel, but typically no longer used by modern\n" \ - " C library implementations.\n", + " C library implementations.\n" \ + " use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ + " its privileges by blacklisting all set*uid|gid system calls.\n" \ + " The value 'children' will deny set*uid|gid system calls for\n" \ + " main QEMU process but will allow forks and execves to run unprivileged\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=@var{string}] +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. @table @option @item obsolete=@var{string} Enable Obsolete system calls +@item elevateprivileges=@var{string} +Disable set*uid|gid system calls @end table ETEXI diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 126e5ee2d5..2bad16cafb 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -68,6 +68,17 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(sysfs), 2, QEMU_SECCOMP_SET_OBSOLETE }, { SCMP_SYS(uselib), 2, QEMU_SECCOMP_SET_OBSOLETE }, { SCMP_SYS(ustat), 2, QEMU_SECCOMP_SET_OBSOLETE }, + /* privileged */ + { SCMP_SYS(setuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setpgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setsid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setreuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setregid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setresuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, }; @@ -90,6 +101,14 @@ int seccomp_start(uint32_t seccomp_opts) continue; } break; + case QEMU_SECCOMP_SET_PRIVILEGED: + if (seccomp_opts & QEMU_SECCOMP_SET_PRIVILEGED) { + break; + } else { + continue; + } + + break; default: break; } diff --git a/vl.c b/vl.c index dafbe30e2b..413cfe8504 100644 --- a/vl.c +++ b/vl.c @@ -29,6 +29,7 @@ #ifdef CONFIG_SECCOMP #include "sysemu/seccomp.h" +#include "sys/prctl.h" #endif #if defined(CONFIG_VDE) @@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "obsolete", .type = QEMU_OPT_STRING, }, + { + .name = "elevateprivileges", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1054,6 +1059,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } + value = qemu_opt_get(opts, "elevateprivileges"); + if (value) { + if (g_str_equal(value, "deny")) { + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED; + } else if (g_str_equal(value, "children")) { + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED; + + /* calling prctl directly because we're + * not sure if host has CAP_SYS_ADMIN set*/ + if (prctl(PR_SET_NO_NEW_PRIVS, 1)) { + error_report("failed to set no_new_privs " + "aborting"); + return -1; + } + } else if (g_str_equal(value, "allow")) { + /* default value */ + } else { + error_report("invalid argument for elevateprivileges"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); -- 2.13.5 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 3/5] seccomp: add elevateprivileges argument to command line 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 3/5] seccomp: add elevateprivileges " Eduardo Otubo @ 2017-09-08 9:32 ` Daniel P. Berrange 0 siblings, 0 replies; 18+ messages in thread From: Daniel P. Berrange @ 2017-09-08 9:32 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 08, 2017 at 11:10:25AM +0200, Eduardo Otubo wrote: > This patch introduces the new argument > [,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows > or denies Qemu process to elevate its privileges by blacklisting all > set*uid|gid system calls. The 'children' option will let forks and > execves run unprivileged. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 12 +++++++++--- > qemu-seccomp.c | 19 +++++++++++++++++++ > vl.c | 27 +++++++++++++++++++++++++++ > 4 files changed, 56 insertions(+), 3 deletions(-) Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to command line 2017-09-08 9:10 [Qemu-devel] [PATCHv5 0/6] seccomp: feature refactoring Eduardo Otubo ` (2 preceding siblings ...) 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 3/5] seccomp: add elevateprivileges " Eduardo Otubo @ 2017-09-08 9:10 ` Eduardo Otubo 2017-09-08 9:33 ` Daniel P. Berrange 2017-09-08 9:50 ` Thomas Huth 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 5/5] seccomp: add resourcecontrol " Eduardo Otubo 4 siblings, 2 replies; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 9:10 UTC (permalink / raw) To: qemu-devel; +Cc: thuth, Daniel P . Berrange This patch adds [,spawn=deny] argument to `-sandbox on' option. It blacklists fork and execve system calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 9 +++++++-- qemu-seccomp.c | 12 ++++++++++++ vl.c | 16 ++++++++++++++++ 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 4a9e63c7cd..3ab5fc4f61 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -18,6 +18,7 @@ #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) #include <seccomp.h> diff --git a/qemu-options.hx b/qemu-options.hx index 5c1b163fb5..2b04b9f170 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4018,6 +4018,7 @@ ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ + " [,spawn=allow|deny]\n" \ " Enable seccomp mode 2 system call filter (default 'off').\n" \ " use 'obsolete' to allow obsolete system calls that are provided\n" \ " by the kernel, but typically no longer used by modern\n" \ @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ " use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ " its privileges by blacklisting all set*uid|gid system calls.\n" \ " The value 'children' will deny set*uid|gid system calls for\n" \ - " main QEMU process but will allow forks and execves to run unprivileged\n", + " main QEMU process but will allow forks and execves to run unprivileged\n" \ + " use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ + " blacklisting *fork and execve\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. Enable Obsolete system calls @item elevateprivileges=@var{string} Disable set*uid|gid system calls +@item spawn=@var{string} +Disable *fork and execve @end table ETEXI diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 2bad16cafb..4c169febf8 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -79,6 +79,10 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, + /* spawn */ + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN }, }; @@ -109,6 +113,14 @@ int seccomp_start(uint32_t seccomp_opts) } break; + case QEMU_SECCOMP_SET_SPAWN: + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) { + break; + } else { + continue; + } + + break; default: break; } diff --git a/vl.c b/vl.c index 413cfe8504..0af137da17 100644 --- a/vl.c +++ b/vl.c @@ -280,6 +280,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "elevateprivileges", .type = QEMU_OPT_STRING, }, + { + .name = "spawn", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1081,6 +1085,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } + value = qemu_opt_get(opts, "spawn"); + if (value) { + if (g_str_equal(value, "deny")) { + seccomp_opts |= QEMU_SECCOMP_SET_SPAWN; + } else if (g_str_equal(value, "allow")) { + /* default value */ + } else { + error_report("invalid argument for spawn"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); -- 2.13.5 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to command line 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn " Eduardo Otubo @ 2017-09-08 9:33 ` Daniel P. Berrange 2017-09-08 9:50 ` Thomas Huth 1 sibling, 0 replies; 18+ messages in thread From: Daniel P. Berrange @ 2017-09-08 9:33 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 08, 2017 at 11:10:26AM +0200, Eduardo Otubo wrote: > This patch adds [,spawn=deny] argument to `-sandbox on' option. It > blacklists fork and execve system calls, avoiding Qemu to spawn new > threads or processes. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 9 +++++++-- > qemu-seccomp.c | 12 ++++++++++++ > vl.c | 16 ++++++++++++++++ > 4 files changed, 36 insertions(+), 2 deletions(-) Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to command line 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn " Eduardo Otubo 2017-09-08 9:33 ` Daniel P. Berrange @ 2017-09-08 9:50 ` Thomas Huth 2017-09-08 11:15 ` Eduardo Otubo 1 sibling, 1 reply; 18+ messages in thread From: Thomas Huth @ 2017-09-08 9:50 UTC (permalink / raw) To: Eduardo Otubo, qemu-devel On 08.09.2017 11:10, Eduardo Otubo wrote: > This patch adds [,spawn=deny] argument to `-sandbox on' option. It > blacklists fork and execve system calls, avoiding Qemu to spawn new > threads or processes. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 9 +++++++-- > qemu-seccomp.c | 12 ++++++++++++ > vl.c | 16 ++++++++++++++++ > 4 files changed, 36 insertions(+), 2 deletions(-) > > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > index 4a9e63c7cd..3ab5fc4f61 100644 > --- a/include/sysemu/seccomp.h > +++ b/include/sysemu/seccomp.h > @@ -18,6 +18,7 @@ > #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) > #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) > #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) > +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) > > #include <seccomp.h> > > diff --git a/qemu-options.hx b/qemu-options.hx > index 5c1b163fb5..2b04b9f170 100644 > --- a/qemu-options.hx > +++ b/qemu-options.hx > @@ -4018,6 +4018,7 @@ ETEXI > > DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ > + " [,spawn=allow|deny]\n" \ > " Enable seccomp mode 2 system call filter (default 'off').\n" \ > " use 'obsolete' to allow obsolete system calls that are provided\n" \ > " by the kernel, but typically no longer used by modern\n" \ > @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > " use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ > " its privileges by blacklisting all set*uid|gid system calls.\n" \ > " The value 'children' will deny set*uid|gid system calls for\n" \ > - " main QEMU process but will allow forks and execves to run unprivileged\n", > + " main QEMU process but will allow forks and execves to run unprivileged\n" \ > + " use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ > + " blacklisting *fork and execve\n", > QEMU_ARCH_ALL) > STEXI > -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] > +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] > @findex -sandbox > Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will > disable it. The default is 'off'. > @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. > Enable Obsolete system calls > @item elevateprivileges=@var{string} > Disable set*uid|gid system calls > +@item spawn=@var{string} > +Disable *fork and execve > @end table > ETEXI > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index 2bad16cafb..4c169febf8 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -79,6 +79,10 @@ static const struct QemuSeccompSyscall blacklist[] = { > { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, > { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, > { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, > + /* spawn */ > + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN }, > + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN }, > + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN }, > }; > > > @@ -109,6 +113,14 @@ int seccomp_start(uint32_t seccomp_opts) > } > > break; > + case QEMU_SECCOMP_SET_SPAWN: > + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) { > + break; > + } else { > + continue; > + } > + Remove the above empty line? Anyway, it's somewhat ugly that you need a switch-case statement here at all. Couldn't you simply check it like this: if (!(seccomp_opts & blacklist[i].set)) { continue; } ? You then just have to invert the meaning of the QEMU_SECCOMP_SET_OBSOLETE bit in the second patch, so that this bit is treated in the same way as the others (i.e. use uint32_t seccomp_opts = QEMU_SECCOMP_SET_OBSOLETE; instead of uint32_t seccomp_opts = 0x00000; in vl.c in the second patch). Thomas ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to command line 2017-09-08 9:50 ` Thomas Huth @ 2017-09-08 11:15 ` Eduardo Otubo 2017-09-08 11:31 ` Thomas Huth 0 siblings, 1 reply; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 11:15 UTC (permalink / raw) To: Thomas Huth; +Cc: qemu-devel On Fri, Sep 08, 2017 at 11:50:12AM +0200, Thomas Huth wrote: > On 08.09.2017 11:10, Eduardo Otubo wrote: > > This patch adds [,spawn=deny] argument to `-sandbox on' option. It > > blacklists fork and execve system calls, avoiding Qemu to spawn new > > threads or processes. > > > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > > --- > > include/sysemu/seccomp.h | 1 + > > qemu-options.hx | 9 +++++++-- > > qemu-seccomp.c | 12 ++++++++++++ > > vl.c | 16 ++++++++++++++++ > > 4 files changed, 36 insertions(+), 2 deletions(-) > > > > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > > index 4a9e63c7cd..3ab5fc4f61 100644 > > --- a/include/sysemu/seccomp.h > > +++ b/include/sysemu/seccomp.h > > @@ -18,6 +18,7 @@ > > #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) > > #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) > > #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) > > +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) > > > > #include <seccomp.h> > > > > diff --git a/qemu-options.hx b/qemu-options.hx > > index 5c1b163fb5..2b04b9f170 100644 > > --- a/qemu-options.hx > > +++ b/qemu-options.hx > > @@ -4018,6 +4018,7 @@ ETEXI > > > > DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > > "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ > > + " [,spawn=allow|deny]\n" \ > > " Enable seccomp mode 2 system call filter (default 'off').\n" \ > > " use 'obsolete' to allow obsolete system calls that are provided\n" \ > > " by the kernel, but typically no longer used by modern\n" \ > > @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > > " use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ > > " its privileges by blacklisting all set*uid|gid system calls.\n" \ > > " The value 'children' will deny set*uid|gid system calls for\n" \ > > - " main QEMU process but will allow forks and execves to run unprivileged\n", > > + " main QEMU process but will allow forks and execves to run unprivileged\n" \ > > + " use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ > > + " blacklisting *fork and execve\n", > > QEMU_ARCH_ALL) > > STEXI > > -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] > > +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] > > @findex -sandbox > > Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will > > disable it. The default is 'off'. > > @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. > > Enable Obsolete system calls > > @item elevateprivileges=@var{string} > > Disable set*uid|gid system calls > > +@item spawn=@var{string} > > +Disable *fork and execve > > @end table > > ETEXI > > > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > > index 2bad16cafb..4c169febf8 100644 > > --- a/qemu-seccomp.c > > +++ b/qemu-seccomp.c > > @@ -79,6 +79,10 @@ static const struct QemuSeccompSyscall blacklist[] = { > > { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, > > { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, > > { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, > > + /* spawn */ > > + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN }, > > + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN }, > > + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN }, > > }; > > > > > > @@ -109,6 +113,14 @@ int seccomp_start(uint32_t seccomp_opts) > > } > > > > break; > > + case QEMU_SECCOMP_SET_SPAWN: > > + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) { > > + break; > > + } else { > > + continue; > > + } > > + > > Remove the above empty line? > > Anyway, it's somewhat ugly that you need a switch-case statement here at > all. Couldn't you simply check it like this: > > if (!(seccomp_opts & blacklist[i].set)) { > continue; > } > ? > > You then just have to invert the meaning of the > QEMU_SECCOMP_SET_OBSOLETE bit in the second patch, so that this bit is > treated in the same way as the others (i.e. use > uint32_t seccomp_opts = QEMU_SECCOMP_SET_OBSOLETE; > instead of > uint32_t seccomp_opts = 0x00000; > in vl.c in the second patch). That's indeed much better, but perhaps: uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT | QEMU_SECCOMP_SET_OBSOLETE; ? -- Eduardo Otubo Senior Software Engineer @ RedHat ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to command line 2017-09-08 11:15 ` Eduardo Otubo @ 2017-09-08 11:31 ` Thomas Huth 0 siblings, 0 replies; 18+ messages in thread From: Thomas Huth @ 2017-09-08 11:31 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel On 08.09.2017 13:15, Eduardo Otubo wrote: > On Fri, Sep 08, 2017 at 11:50:12AM +0200, Thomas Huth wrote: >> On 08.09.2017 11:10, Eduardo Otubo wrote: >>> This patch adds [,spawn=deny] argument to `-sandbox on' option. It >>> blacklists fork and execve system calls, avoiding Qemu to spawn new >>> threads or processes. >>> >>> Signed-off-by: Eduardo Otubo <otubo@redhat.com> >>> --- >>> include/sysemu/seccomp.h | 1 + >>> qemu-options.hx | 9 +++++++-- >>> qemu-seccomp.c | 12 ++++++++++++ >>> vl.c | 16 ++++++++++++++++ >>> 4 files changed, 36 insertions(+), 2 deletions(-) >>> >>> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h >>> index 4a9e63c7cd..3ab5fc4f61 100644 >>> --- a/include/sysemu/seccomp.h >>> +++ b/include/sysemu/seccomp.h >>> @@ -18,6 +18,7 @@ >>> #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) >>> #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) >>> #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) >>> +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) >>> >>> #include <seccomp.h> >>> >>> diff --git a/qemu-options.hx b/qemu-options.hx >>> index 5c1b163fb5..2b04b9f170 100644 >>> --- a/qemu-options.hx >>> +++ b/qemu-options.hx >>> @@ -4018,6 +4018,7 @@ ETEXI >>> >>> DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ >>> "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ >>> + " [,spawn=allow|deny]\n" \ >>> " Enable seccomp mode 2 system call filter (default 'off').\n" \ >>> " use 'obsolete' to allow obsolete system calls that are provided\n" \ >>> " by the kernel, but typically no longer used by modern\n" \ >>> @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ >>> " use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ >>> " its privileges by blacklisting all set*uid|gid system calls.\n" \ >>> " The value 'children' will deny set*uid|gid system calls for\n" \ >>> - " main QEMU process but will allow forks and execves to run unprivileged\n", >>> + " main QEMU process but will allow forks and execves to run unprivileged\n" \ >>> + " use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ >>> + " blacklisting *fork and execve\n", >>> QEMU_ARCH_ALL) >>> STEXI >>> -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] >>> +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] >>> @findex -sandbox >>> Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will >>> disable it. The default is 'off'. >>> @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. >>> Enable Obsolete system calls >>> @item elevateprivileges=@var{string} >>> Disable set*uid|gid system calls >>> +@item spawn=@var{string} >>> +Disable *fork and execve >>> @end table >>> ETEXI >>> >>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c >>> index 2bad16cafb..4c169febf8 100644 >>> --- a/qemu-seccomp.c >>> +++ b/qemu-seccomp.c >>> @@ -79,6 +79,10 @@ static const struct QemuSeccompSyscall blacklist[] = { >>> { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, >>> { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, >>> { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED }, >>> + /* spawn */ >>> + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN }, >>> + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN }, >>> + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN }, >>> }; >>> >>> >>> @@ -109,6 +113,14 @@ int seccomp_start(uint32_t seccomp_opts) >>> } >>> >>> break; >>> + case QEMU_SECCOMP_SET_SPAWN: >>> + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) { >>> + break; >>> + } else { >>> + continue; >>> + } >>> + >> >> Remove the above empty line? >> >> Anyway, it's somewhat ugly that you need a switch-case statement here at >> all. Couldn't you simply check it like this: >> >> if (!(seccomp_opts & blacklist[i].set)) { >> continue; >> } >> ? >> >> You then just have to invert the meaning of the >> QEMU_SECCOMP_SET_OBSOLETE bit in the second patch, so that this bit is >> treated in the same way as the others (i.e. use >> uint32_t seccomp_opts = QEMU_SECCOMP_SET_OBSOLETE; >> instead of >> uint32_t seccomp_opts = 0x00000; >> in vl.c in the second patch). > > That's indeed much better, but perhaps: > uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT | QEMU_SECCOMP_SET_OBSOLETE; Right, the default set should be excluded by default of course, too! :-) Thomas ^ permalink raw reply [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv5 5/5] seccomp: add resourcecontrol argument to command line 2017-09-08 9:10 [Qemu-devel] [PATCHv5 0/6] seccomp: feature refactoring Eduardo Otubo ` (3 preceding siblings ...) 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn " Eduardo Otubo @ 2017-09-08 9:10 ` Eduardo Otubo 2017-09-08 9:33 ` Daniel P. Berrange 4 siblings, 1 reply; 18+ messages in thread From: Eduardo Otubo @ 2017-09-08 9:10 UTC (permalink / raw) To: qemu-devel; +Cc: thuth, Daniel P . Berrange This patch adds [,resourcecontrol=deny] to `-sandbox on' option. It blacklists all process affinity and scheduler priority system calls to avoid any bigger of the process. Signed-off-by: Eduardo Otubo <otubo@redhat.com> --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 9 ++++++--- qemu-seccomp.c | 19 +++++++++++++++++++ vl.c | 16 ++++++++++++++++ 4 files changed, 42 insertions(+), 3 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 3ab5fc4f61..e67c2dc840 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -19,6 +19,7 @@ #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) #define QEMU_SECCOMP_SET_SPAWN (1 << 3) +#define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4) #include <seccomp.h> diff --git a/qemu-options.hx b/qemu-options.hx index 2b04b9f170..600614f6e5 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4018,7 +4018,7 @@ ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ - " [,spawn=allow|deny]\n" \ + " [,spawn=allow|deny][,resourcecontrol=allow|deny]\n" \ " Enable seccomp mode 2 system call filter (default 'off').\n" \ " use 'obsolete' to allow obsolete system calls that are provided\n" \ " by the kernel, but typically no longer used by modern\n" \ @@ -4028,10 +4028,11 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ " The value 'children' will deny set*uid|gid system calls for\n" \ " main QEMU process but will allow forks and execves to run unprivileged\n" \ " use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ - " blacklisting *fork and execve\n", + " blacklisting *fork and execve\n" \ + " use 'resourcecontrol' to disable process affinity and schedular priority\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}][,resourcecontrol=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. @@ -4042,6 +4043,8 @@ Enable Obsolete system calls Disable set*uid|gid system calls @item spawn=@var{string} Disable *fork and execve +@item resourcecontrol=@var{string} +Disable process affinity and schedular priority @end table ETEXI diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 4c169febf8..e7c19c8165 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -83,6 +83,17 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN }, { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN }, { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN }, + /* resource control */ + { SCMP_SYS(getpriority), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(setpriority), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setparam), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getparam), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setscheduler), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getscheduler), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setaffinity), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getaffinity), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_get_priority_max), 16, QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_get_priority_min), 16, QEMU_SECCOMP_SET_RESOURCECTL }, }; @@ -121,6 +132,14 @@ int seccomp_start(uint32_t seccomp_opts) } break; + case QEMU_SECCOMP_SET_RESOURCECTL: + if (seccomp_opts & QEMU_SECCOMP_SET_RESOURCECTL) { + break; + } else { + continue; + } + + break; default: break; } diff --git a/vl.c b/vl.c index 0af137da17..ce3883ccb1 100644 --- a/vl.c +++ b/vl.c @@ -284,6 +284,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "spawn", .type = QEMU_OPT_STRING, }, + { + .name = "resourcecontrol", + .type = QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1097,6 +1101,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } + value = qemu_opt_get(opts, "resourcecontrol"); + if (value) { + if (g_str_equal(value, "deny")) { + seccomp_opts |= QEMU_SECCOMP_SET_RESOURCECTL; + } else if (g_str_equal(value, "allow")) { + /* default value */ + } else { + error_report("invalid argument for resourcecontrol"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); -- 2.13.5 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv5 5/5] seccomp: add resourcecontrol argument to command line 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 5/5] seccomp: add resourcecontrol " Eduardo Otubo @ 2017-09-08 9:33 ` Daniel P. Berrange 0 siblings, 0 replies; 18+ messages in thread From: Daniel P. Berrange @ 2017-09-08 9:33 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel, thuth On Fri, Sep 08, 2017 at 11:10:27AM +0200, Eduardo Otubo wrote: > This patch adds [,resourcecontrol=deny] to `-sandbox on' option. It > blacklists all process affinity and scheduler priority system calls to > avoid any bigger of the process. > > Signed-off-by: Eduardo Otubo <otubo@redhat.com> > --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 9 ++++++--- > qemu-seccomp.c | 19 +++++++++++++++++++ > vl.c | 16 ++++++++++++++++ > 4 files changed, 42 insertions(+), 3 deletions(-) Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2017-09-08 11:31 UTC | newest] Thread overview: 18+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-09-08 9:10 [Qemu-devel] [PATCHv5 0/6] seccomp: feature refactoring Eduardo Otubo 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo 2017-09-08 9:31 ` Daniel P. Berrange 2017-09-08 9:43 ` Thomas Huth 2017-09-08 9:50 ` Eduardo Otubo 2017-09-08 9:52 ` Thomas Huth 2017-09-08 10:57 ` Eduardo Otubo 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 2/5] seccomp: add obsolete argument to command line Eduardo Otubo 2017-09-08 9:31 ` Daniel P. Berrange 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 3/5] seccomp: add elevateprivileges " Eduardo Otubo 2017-09-08 9:32 ` Daniel P. Berrange 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn " Eduardo Otubo 2017-09-08 9:33 ` Daniel P. Berrange 2017-09-08 9:50 ` Thomas Huth 2017-09-08 11:15 ` Eduardo Otubo 2017-09-08 11:31 ` Thomas Huth 2017-09-08 9:10 ` [Qemu-devel] [PATCHv5 5/5] seccomp: add resourcecontrol " Eduardo Otubo 2017-09-08 9:33 ` Daniel P. Berrange
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).