From: Corey Bryant <coreyb@linux.vnet.ibm.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [RFC] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp
Date: Tue, 08 May 2012 10:10:25 -0400 [thread overview]
Message-ID: <4FA92951.8090601@linux.vnet.ibm.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1205081226570.26786@kaball-desktop>
On 05/08/2012 07:32 AM, Stefano Stabellini wrote:
> On Tue, 8 May 2012, Daniel P. Berrange wrote:
>> On Fri, May 04, 2012 at 04:08:36PM -0300, Eduardo Otubo wrote:
>>> Hello all,
>>>
>>> This is the first effort to sandboxing Qemu guests using Libseccomp[0]. The
>>> patches that follows are pretty simple and straightforward. I added the correct
>>> options and checks to the configure script and the basic calls to libseccomp in
>>> the main loop at vl.c. Details of each one are in the emails of the patch set.
>>>
>>> This support limits the system call footprint of the entire QEMU process to a
>>> limited set of syscalls, those that we know QEMU uses. The idea is to limit
>>> the allowable syscalls, therefore limiting the impact that an attacked guest
>>> could have on the host system.
>>
>> What functionality has been lost by applying this seccomp filter ? I've not
>> looked closely at the code, but it appears as if this blocks pretty much
>> any kind of runtime device changes. ie no hotplug of any kind will work ?
>
> Right, I was wondering the same thing: open is not on the list so adding
> a new disk shouldn't be possible.
>
> Regarding Xen, most of the hypercalls go through xc_* calls that are
> ioctls on the privcmd device. Is it possible to add ioctl to the list?
>
If the whitelist is complete there should be no functionality lost when
using seccomp with QEMU. The idea (at least at this point) is to
disallow the system calls that QEMU doesn't use. open and ioctl should
be added to the whitelist.
--
Regards,
Corey
next prev parent reply other threads:[~2012-05-08 14:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-04 19:08 [Qemu-devel] [RFC] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp Eduardo Otubo
2012-05-04 19:08 ` [Qemu-devel] [RFC] [PATCH 1/2] Adding support for libseccomp in configure Eduardo Otubo
2012-05-04 19:08 ` [Qemu-devel] [RFC] [PATCH 2/2] Adding basic calls to libseccomp in vl.c Eduardo Otubo
2012-05-04 21:59 ` Andreas Färber
2012-05-07 11:01 ` Paolo Bonzini
2012-05-07 12:28 ` Eduardo Otubo
2012-05-07 12:34 ` Paolo Bonzini
2012-05-07 12:16 ` Eduardo Otubo
2012-05-08 9:15 ` [Qemu-devel] [RFC] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp Daniel P. Berrange
2012-05-08 11:32 ` Stefano Stabellini
2012-05-08 14:10 ` Corey Bryant [this message]
2012-05-08 14:27 ` Daniel P. Berrange
2012-05-08 15:19 ` Corey Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FA92951.8090601@linux.vnet.ibm.com \
--to=coreyb@linux.vnet.ibm.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefano.stabellini@eu.citrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).