From: Paul Moore <pmoore@redhat.com>
To: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Cc: lmr@redhat.com, qemu-devel@nongnu.org, anthony@codemonkey.ws
Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in
Date: Mon, 09 Dec 2013 13:16:28 -0500 [thread overview]
Message-ID: <3282317.3ykRPnnAV1@sifl> (raw)
In-Reply-To: <52A60328.6020102@linux.vnet.ibm.com>
On Monday, December 09, 2013 03:51:36 PM Eduardo Otubo wrote:
> On 12/09/2013 03:33 PM, Daniel P. Berrange wrote:
> > On Mon, Dec 09, 2013 at 03:20:52PM -0200, Eduardo Otubo wrote:
> >> This option was requested by virt-test team so they can run tests with
> >> Qemu and "-sandbox on" set without breaking whole test if host doesn't
> >>
> >> have support for seccomp in kernel. It covers two possibilities:
> >> 1) Host kernel support does not support seccomp, but user installed
> >> Qemu
> >>
> >> package with sandbox support: Libseccomp will fail -> qemu will fail
> >> nicely and won't stop execution.
> >>
> >> 2) Host kernel has support but Qemu package wasn't built with sandbox
> >>
> >> feature. Qemu will fail nicely and won't stop execution.
> >>
> >> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
> >> ---
> >>
> >> vl.c | 10 +++-------
> >> 1 file changed, 3 insertions(+), 7 deletions(-)
{snip}
> > This change is really dubious from a security POV. If the admin requested
> > sandboxing and the host or QEMU build cannot support it, then QEMU really
> > *must* exit.
>
> I think an admin must know what he's doing. If he requested sandbox but
> without kernel support he need to step back a little and understand what
> he's doing. This patch won't decrease the security level, IMHO.
NACK
For the reasons Daniel already mentioned. Mistakes happen, a lot, and if the
user explicitly requests security functionality and we can't provide it we
need to fail in a manner that doesn't increase the user's risk.
> > IMHO the test suite should probe to see if sandbox is working or not, and
> > just not use the "-sandbox on" arg if the host doesn't support it.
>
> But I think this could be done on virt-test as well :)
This would be ideal, but if you must have a fallback mechanism in QEMU proper,
make it separate from '-sandbox on' so that it doesn't break with the current
behavior and also makes it is obvious that the functionality is not
guaranteed, e.g. '-sandbox try' or similar.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2013-12-09 18:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-09 17:20 [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in Eduardo Otubo
2013-12-09 17:33 ` Daniel P. Berrange
2013-12-09 17:51 ` Eduardo Otubo
2013-12-09 18:16 ` Paul Moore [this message]
2013-12-10 3:20 ` Corey Bryant
2013-12-10 18:48 ` Lucas Meneghel Rodrigues
2013-12-10 19:31 ` Paul Moore
2013-12-10 20:13 ` Lucas Meneghel Rodrigues
2013-12-10 19:35 ` Eduardo Otubo
2013-12-09 19:11 ` Lucas Meneghel Rodrigues
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3282317.3ykRPnnAV1@sifl \
--to=pmoore@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=lmr@redhat.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).