From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60499)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pmoore@redhat.com>) id 1Zh38O-0002de-JM
	for qemu-devel@nongnu.org; Tue, 29 Sep 2015 18:12:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pmoore@redhat.com>) id 1Zh38J-0005W2-BF
	for qemu-devel@nongnu.org; Tue, 29 Sep 2015 18:12:28 -0400
Received: from mx1.redhat.com ([209.132.183.28]:47178)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pmoore@redhat.com>) id 1Zh38J-0005VH-6G
	for qemu-devel@nongnu.org; Tue, 29 Sep 2015 18:12:23 -0400
From: Paul Moore <pmoore@redhat.com>
Date: Tue, 29 Sep 2015 18:12:17 -0400
Message-ID: <2847918.LyRAQidd07@sifl>
In-Reply-To: <N1-IUU_41wMS2@Safe-mail.net>
References: <N1-IUU_41wMS2@Safe-mail.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [Qemu-devel] [PATCH v2] Add argument filters to the seccomp
	sandbox
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Namsun Ch'o <namnamc@safe-mail.net>
Cc: qemu-devel@nongnu.org, eduardo.otubo@profitbricks.com

On Monday, September 28, 2015 11:14:42 PM Namsun Ch'o wrote:
> > My understanding of the config file you proposed is that it would allow
> > the
> > configuration of a whitelist, so changes to the config very could result
> > in
> > *less* strict of a filter, not always more.
> 
> No. Any time an administrator wants a syscall that is not enabled in the
> sandbox, they either don't actually need it, or it's a bug and should be
> fixed. So all the config would do is add argument filters to syscalls which
> are already whitelisted.

If the syscall, without arguments, is already added to the whitelist then 
adding a new libseccomp rule to allow that same syscall with specific 
arguments will have no effect since a broader rule already exists in the 
filter.

> The alternative would be that the syscalls are given no further argument
> filtering. The config could only make the filteres more restrictive, never
> less.

I still don't see how this is the case, but it probably isn't worth arguing 
any further without some patches.
 
> Perhaps there could be a #define somewhere that toggles whether or not a
> syscall argument filter can be created for a syscall which is not in the
> built-in whitelist, otherwise it would throw an error saying that you cannot
> create an argument filter for a syscall that is not permitted.

I would argue you should never be able to add a syscall to the whitelist via a 
config file and/or command line option, but that is my opinion.

-- 
paul moore
security @ redhat