From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48638) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vq5Nn-0007Y2-FK for qemu-devel@nongnu.org; Mon, 09 Dec 2013 13:16:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vq5Nh-0007sa-FV for qemu-devel@nongnu.org; Mon, 09 Dec 2013 13:16:39 -0500 Received: from mx1.redhat.com ([209.132.183.28]:1412) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vq5Nh-0007sI-71 for qemu-devel@nongnu.org; Mon, 09 Dec 2013 13:16:33 -0500 From: Paul Moore Date: Mon, 09 Dec 2013 13:16:28 -0500 Message-ID: <3282317.3ykRPnnAV1@sifl> In-Reply-To: <52A60328.6020102@linux.vnet.ibm.com> References: <1386609652-7876-1-git-send-email-otubo@linux.vnet.ibm.com> <20131209173330.GG22114@redhat.com> <52A60328.6020102@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Eduardo Otubo Cc: lmr@redhat.com, qemu-devel@nongnu.org, anthony@codemonkey.ws On Monday, December 09, 2013 03:51:36 PM Eduardo Otubo wrote: > On 12/09/2013 03:33 PM, Daniel P. Berrange wrote: > > On Mon, Dec 09, 2013 at 03:20:52PM -0200, Eduardo Otubo wrote: > >> This option was requested by virt-test team so they can run tests with > >> Qemu and "-sandbox on" set without breaking whole test if host doesn't > >> > >> have support for seccomp in kernel. It covers two possibilities: > >> 1) Host kernel support does not support seccomp, but user installed > >> Qemu > >> > >> package with sandbox support: Libseccomp will fail -> qemu will fail > >> nicely and won't stop execution. > >> > >> 2) Host kernel has support but Qemu package wasn't built with sandbox > >> > >> feature. Qemu will fail nicely and won't stop execution. > >> > >> Signed-off-by: Eduardo Otubo > >> --- > >> > >> vl.c | 10 +++------- > >> 1 file changed, 3 insertions(+), 7 deletions(-) {snip} > > This change is really dubious from a security POV. If the admin requested > > sandboxing and the host or QEMU build cannot support it, then QEMU really > > *must* exit. > > I think an admin must know what he's doing. If he requested sandbox but > without kernel support he need to step back a little and understand what > he's doing. This patch won't decrease the security level, IMHO. NACK For the reasons Daniel already mentioned. Mistakes happen, a lot, and if the user explicitly requests security functionality and we can't provide it we need to fail in a manner that doesn't increase the user's risk. > > IMHO the test suite should probe to see if sandbox is working or not, and > > just not use the "-sandbox on" arg if the host doesn't support it. > > But I think this could be done on virt-test as well :) This would be ideal, but if you must have a fallback mechanism in QEMU proper, make it separate from '-sandbox on' so that it doesn't break with the current behavior and also makes it is obvious that the functionality is not guaranteed, e.g. '-sandbox try' or similar. -- paul moore security and virtualization @ redhat