From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:46298) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Sgduc-00012s-9I for qemu-devel@nongnu.org; Mon, 18 Jun 2012 11:30:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SgduX-00010C-Os for qemu-devel@nongnu.org; Mon, 18 Jun 2012 11:30:41 -0400 Received: from e7.ny.us.ibm.com ([32.97.182.137]:43815) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SgduX-0000zv-Jw for qemu-devel@nongnu.org; Mon, 18 Jun 2012 11:30:37 -0400 Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 18 Jun 2012 11:30:34 -0400 Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 15B4D38C8084 for ; Mon, 18 Jun 2012 11:30:16 -0400 (EDT) Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170]) by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q5IFUBGO122874 for ; Mon, 18 Jun 2012 11:30:13 -0400 Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1]) by d03av04.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q5IFTvTt023594 for ; Mon, 18 Jun 2012 09:29:57 -0600 Message-ID: <4FDF4973.8030008@linux.vnet.ibm.com> Date: Mon, 18 Jun 2012 11:29:55 -0400 From: Corey Bryant MIME-Version: 1.0 References: <20120613203028.GB6019@redhat.com> <5022524.gIe1TV6Uvp@sifl> <20120618083103.GC28026@redhat.com> In-Reply-To: <20120618083103.GC28026@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [RFC] [PATCHv2 2/2] Adding basic calls to libseccomp in vl.c List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Paul Moore , Blue Swirl , qemu-devel@nongnu.org, Eduardo Otubo On 06/18/2012 04:31 AM, Daniel P. Berrange wrote: > On Fri, Jun 15, 2012 at 05:02:19PM -0400, Paul Moore wrote: >> On Friday, June 15, 2012 07:06:10 PM Blue Swirl wrote: >>> I think allowing execve() would render seccomp pretty much useless. >> >> Not necessarily. >> >> I'll agree that it does seem a bit odd to allow execve(), but there is still >> value in enabling seccomp to disable potentially buggy/exploitable syscalls. >> Let's not forget that we have over 300 syscalls on x86_64, not including the >> 32 bit versions, and even if we add all of the new syscalls suggested in this >> thread we are still talking about a small subset of syscalls. As far as >> security goes, the old adage of "less is more" applies. > > I can sort of see this argument, but *only* if the QEMU process is being > run under a dedicated, fully unprivileged (from a DAC pov) user, completely > separate from anything else on the system. This might be a good point to plug Marcelo Cerri's DAC isolation patches that are on the libvirt mailing list. :) http://www.redhat.com/archives/libvir-list/2012-May/msg01005.html http://www.redhat.com/archives/libvir-list/2012-June/msg00020.html -- Regards, Corey > > If QEMU were being run as root, then even with seccomp, it could trivially > just overwrite some binary in /bin, update /proc/core-pattern to point to > this binary, and then crash itself. Now that core handling binary will > execute without any of the seccomp filters applied. > > Similarly if QEMU is being run in the user's desktop session, I'm sure there > is some kind of similar attack possible by changing a config setting for the > user's GNOME/KDE session, and then waiting for GNOME/KDE to execute the script > that QEMU just wrote out, once again bypassing seccomp. > > Regards, > Daniel >