From: Avi Kivity <avi@redhat.com>
To: Blue Swirl <blauwirbel@gmail.com>
Cc: Paul Moore <pmoore@redhat.com>,
qemu-devel@nongnu.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [RFC] [PATCHv2 2/2] Adding basic calls to libseccomp in vl.c
Date: Tue, 19 Jun 2012 14:04:40 +0300 [thread overview]
Message-ID: <4FE05CC8.9040801@redhat.com> (raw)
In-Reply-To: <CAAu8pHs8Uiztxo5kHFwxGmSv5_MpQgAQJuM+gfvOyRNYvE4e-w@mail.gmail.com>
On 06/16/2012 09:46 AM, Blue Swirl wrote:
> On Fri, Jun 15, 2012 at 9:36 PM, Paul Moore <pmoore@redhat.com> wrote:
>> On Friday, June 15, 2012 09:23:46 PM Blue Swirl wrote:
>>> On Fri, Jun 15, 2012 at 9:02 PM, Paul Moore <pmoore@redhat.com> wrote:
>>> > On Friday, June 15, 2012 07:06:10 PM Blue Swirl wrote:
>>> >> I think allowing execve() would render seccomp pretty much useless.
>>> >
>>> > Not necessarily.
>>> >
>>> > I'll agree that it does seem a bit odd to allow execve(), but there is
>>> > still value in enabling seccomp to disable potentially buggy/exploitable
>>> > syscalls. Let's not forget that we have over 300 syscalls on x86_64, not
>>> > including the 32 bit versions, and even if we add all of the new syscalls
>>> > suggested in this thread we are still talking about a small subset of
>>> > syscalls. As far as security goes, the old adage of "less is more"
>>> > applies.
>>>
>>> The helper program being executed could need any of the 300 system
>>> calls, so we'd have to allow all.
>>
>> Don't we have some basic understanding of what the applications being exec'd
>> will need to do? I sorta see your point, but allowing the entire set of
>> syscalls seems a bit dramatic.
>
> At least qemu-ifup/down scripts, migration exec and smbd have been
> mentioned. Only the system calls made by smbd (for some version of it)
> can be known. The user could specify arbitrary commands for the
> others, those could be assumed to use some common (large) subset of
> system calls but I think the security value would be close to zero
> then.
We're not trying to protect against the user, but against the guest. If
we assume the user wrote those scripts with care so they cannot be
exploited by the guest, then we are okay.
However I agree with you that it would be better to restrict those
syscalls. The scripts are already unnecessary if using a management
system and migration supports passed file descriptors, so that leaves
only smbd, which can probably be pre-execed.
>
>>
>>> > Protecting against the abuse and misuse of execve() is something that is
>>> > better done with the host's access controls (traditional DAC, MAC via the
>>> > LSM, etc.).
>>>
>>> How about seccomp mode selected by command line switch -seccomp, in
>>> which bind/connect/open/execve are forbidden? The functionality
>>> remaining would be somewhat limited (can't migrate or use SMB etc.
>>> until refactoring of QEMU), but that way seccomp jail would be much
>>> tighter.
>>
>> When I spoke to Anthony about this earlier (offline, sorry) he was opposed to
>> requiring any switches or user interaction to enable seccomp. I'm not sure if
>> his stance on this has changed any over the past few months.
>
> There could be two modes, strict mode (-seccomp) and default mode
> (only some syscalls blocked). With the future decomposed QEMU, strict
> seccomp mode would be default and the switch would be obsoleted. If
> the decomposition is planned to happen soonish, adding the switch
> would be just churn.
We have decomposed qemu to some extent, in that privileged operations
happen in libvirt. So the modes make sense - qemu has no idea whether a
privileged management system is controlling it or not.
>
>>
>> In my perfect world, we would have a decomposed QEMU that functions as a
>> series of processes connected via some sort of IPC; the exact divisions are a
>> bit TBD and beyond the scope of this discussion. In this scenario we would be
>> able to restrict QEMU with sVirt and seccomp to a much higher degree than we
>> could with the current monolithic QEMU.
>>
>> I don't expect to see my perfect world any time soon, but in the meantime we
>> can still improve the security of QEMU on Linux with these seccomp patches and
>> for that reason I think it's a win. Since these patches don't expose anything
>> at runtime (no knobs, switches, etc.) we leave ourselves plenty of flexibility
>> for changing things in the future.
>
> Yes, I'm much in favor of adding seccomp support soon. But I just
> wonder if this is really the best level of security we can reach now,
> not assuming decomposed QEMU, but just minor tweaks?
We might disable mprotect(PROT_EXEC) if running with kvm.
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2012-06-19 11:04 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-13 19:20 [Qemu-devel] [RFC] [PATCHv2 0/2] Sandboxing Qemu guests with Libseccomp Eduardo Otubo
2012-06-13 19:20 ` [Qemu-devel] [RFC] [PATCHv2 1/2] Adding support for libseccomp in configure Eduardo Otubo
2012-06-13 19:45 ` Blue Swirl
2012-06-13 19:20 ` [Qemu-devel] [RFC] [PATCHv2 2/2] Adding basic calls to libseccomp in vl.c Eduardo Otubo
2012-06-13 19:56 ` Blue Swirl
2012-06-13 20:33 ` Daniel P. Berrange
2012-06-15 19:04 ` Blue Swirl
2012-06-18 8:33 ` Daniel P. Berrange
2012-06-18 15:22 ` Corey Bryant
2012-06-18 20:18 ` Blue Swirl
2012-06-18 21:53 ` Corey Bryant
[not found] ` <CABqD9hYKLf9D37XsF6nvNmtJ=0wJ39Yu_A-JeWxDJ_8haBmEWA@mail.gmail.com>
[not found] ` <4FE08025.6030406@linux.vnet.ibm.com>
[not found] ` <CABqD9ha32FAuikpDojzO91Jg8Q6VTY340LShKzpvTx6FN_uacQ@mail.gmail.com>
2012-06-19 16:51 ` Corey Bryant
2012-07-01 13:25 ` Paolo Bonzini
2012-07-02 2:18 ` Will Drewry
2012-07-02 14:20 ` Corey Bryant
2012-06-13 20:30 ` Daniel P. Berrange
2012-06-15 19:06 ` Blue Swirl
2012-06-15 21:02 ` Paul Moore
2012-06-15 21:23 ` Blue Swirl
2012-06-15 21:36 ` Paul Moore
2012-06-16 6:46 ` Blue Swirl
2012-06-18 17:41 ` Corey Bryant
2012-06-19 11:04 ` Avi Kivity [this message]
2012-06-19 18:58 ` Blue Swirl
2012-06-21 8:04 ` Avi Kivity
[not found] ` <4FEB7A4D.7050608@redhat.com>
[not found] ` <CAAu8pHtYmoJ7WCK7LAOj_j2YU-nAgiLTg7q4qXL3Vu-kPRpZnw@mail.gmail.com>
2012-07-02 18:05 ` Corey Bryant
2012-07-03 19:15 ` Blue Swirl
2012-06-15 21:44 ` Eric Blake
2012-06-18 8:31 ` Daniel P. Berrange
2012-06-18 8:38 ` Daniel P. Berrange
2012-06-18 13:52 ` Paul Moore
2012-06-18 13:55 ` Daniel P. Berrange
2012-06-18 14:02 ` Paul Moore
2012-06-18 20:13 ` Eduardo Otubo
2012-06-18 20:23 ` Blue Swirl
2012-06-18 15:29 ` Corey Bryant
2012-06-18 20:15 ` Blue Swirl
2012-06-19 9:23 ` Daniel P. Berrange
2012-06-19 18:44 ` Blue Swirl
2012-06-18 8:26 ` Daniel P. Berrange
2012-06-13 20:37 ` Daniel P. Berrange
2012-06-13 20:31 ` [Qemu-devel] [RFC] [PATCHv2 0/2] Sandboxing Qemu guests with Libseccomp Paul Moore
2012-06-14 21:59 ` [Qemu-devel] [libseccomp-discuss] " Kees Cook
2012-06-15 13:54 ` Paul Moore
2012-10-29 15:11 ` Corey Bryant
2012-10-29 15:32 ` Daniel P. Berrange
2012-10-29 15:40 ` Paul Moore
2012-10-29 15:51 ` Corey Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FE05CC8.9040801@redhat.com \
--to=avi@redhat.com \
--cc=blauwirbel@gmail.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).