Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads

[Eric Blake <eblake@redhat.com>]

On 08/22/2018 10:58 AM, Marc-André Lureau wrote:

>> At this point you might as well not bother using seccomp at all. The
>> thread that is confined merely needs to scribble something into the
>> stack of the unconfined thread and now it can do whatever it wants.
> 
> Actually, that message is incorrect, it should rather be "not all
> threads will be filtered" (as described in commit message).
> 
>> IMHO we need to find a way to get the policy to apply to those other
>> threads.
> 
> That's what the patch is about ;)

In other words, this patch is patching the gaping security hole that 
already exists, but...

>>> +++ b/qemu-options.hx
>>> @@ -3864,6 +3864,8 @@ Disable set*uid|gid system calls
>>>   Disable *fork and execve
>>>   @item resourcecontrol=@var{string}
>>>   Disable process affinity and schedular priority
>>> +@item tsync=@var{bool}
>>> +Apply seccomp filter to all threads (default is auto, and will warn if fail)
>>
>> IMHO this should never exist, as setting "tsync" to anything other
>> than "yes", is akin to just running without any sandbox.
> 
> Then we should just fail -sandbox on those systems.

...leaving the backdoor open.  Yes, we should instead fix things to hard 
fail when -sandbox cannot fully protect the process, rather than adding 
a tsync=off backdoor to permit execution in spite of the insecurity.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org