From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:42746)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TR34f-0000Sf-Np
	for qemu-devel@nongnu.org; Wed, 24 Oct 2012 11:41:00 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TR34Z-0001mw-Mh
	for qemu-devel@nongnu.org; Wed, 24 Oct 2012 11:40:53 -0400
Received: from e8.ny.us.ibm.com ([32.97.182.138]:50575)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TR34Z-0001Es-Hk
	for qemu-devel@nongnu.org; Wed, 24 Oct 2012 11:40:47 -0400
Received: from /spool/local
	by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Wed, 24 Oct 2012 11:39:47 -0400
Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234])
	by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 04A63C9007F
	for <qemu-devel@nongnu.org>; Wed, 24 Oct 2012 11:39:28 -0400 (EDT)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216])
	by d01relay02.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q9OFdRO7301104
	for <qemu-devel@nongnu.org>; Wed, 24 Oct 2012 11:39:27 -0400
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1])
	by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q9OFdRId007689
	for <qemu-devel@nongnu.org>; Wed, 24 Oct 2012 13:39:27 -0200
Message-ID: <50880B96.20802@linux.vnet.ibm.com>
Date: Wed, 24 Oct 2012 11:39:02 -0400
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com>
	<1350479712-15082-4-git-send-email-otubo@linux.vnet.ibm.com>
	<50801D29.2080305@redhat.com> <5087F899.2030604@linux.vnet.ibm.com>
	<5088078B.3070002@redhat.com>
In-Reply-To: <5088078B.3070002@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: pmoore@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>



On 10/24/2012 11:21 AM, Paolo Bonzini wrote:
> Il 24/10/2012 16:18, Corey Bryant ha scritto:
>>
>>
>> On 10/18/2012 11:15 AM, Paolo Bonzini wrote:
>>> Il 17/10/2012 15:15, Eduardo Otubo ha scritto:
>>>> With the inclusion of the new "double whitelist" seccomp filter, Qemu
>>>> won't be able to execve() in runtime, thus, no hotplug net devices
>>>> allowed.
>>>>
>>>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
>>>
>>> Please check this in net_init_tap instead.  When using libvirt, hotplug
>>> is done with a completely different mechanism that involves
>>> file-descriptor passing and does not require executing a helper.
>>>
>>> Paolo
>>>
>>
>> Are you sure net_init_tap() is the right place for this check?
> 
> Yes, assuming there is a global that says whether the seccomp sandbox is
> in effect.  Even something like "if (sandbox_active && !tap->has_fd)
> error(...)" can be enough.
> 
> Paolo
> 

What do you think about this?  It moves the checks into the functions that actually cause execve() to be called, and it only prevents the commands after QEMU is done with initialization in main().

---

diff --git a/net/tap.c b/net/tap.c
index df89caa..7a8a234 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -352,6 +352,14 @@ static int launch_script(const char *setup_script, const char *ifname, int fd)
     char *args[3];
     char **parg;
 
+#ifdef CONFIG_SECCOMP
+        if (!runstate_is_prelaunch()) {
+            error_report("Cannot execute network script from QEMU monitor "
+                         "when -sandbox is in effect");
+            return -1;
+        }
+#endif
+
     /* try to launch network script */
     pid = fork();
     if (pid == 0) {
@@ -426,6 +434,14 @@ static int net_bridge_run_helper(const char *helper, const char *bridge)
     char **parg;
     int sv[2];
 
+#ifdef CONFIG_SECCOMP
+        if (!runstate_is_prelaunch()) {
+            error_report("Cannot execute network helper from QEMU monitor "
+                         "when -sandbox is in effect");
+            return -1;
+        }
+#endif
+
     sigemptyset(&mask);
     sigaddset(&mask, SIGCHLD);
     sigprocmask(SIG_BLOCK, &mask, &oldmask);
diff --git a/sysemu.h b/sysemu.h
index 0c39a3a..37d8c7d 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -23,6 +23,7 @@ void runstate_init(void);
 bool runstate_check(RunState state);
 void runstate_set(RunState new_state);
 int runstate_is_running(void);
+int runstate_is_prelaunch(void);
 typedef struct vm_change_state_entry VMChangeStateEntry;
 typedef void VMChangeStateHandler(void *opaque, int running, RunState state);
 
diff --git a/vl.c b/vl.c
index c7e88ff..b19b9fa 100644
--- a/vl.c
+++ b/vl.c
@@ -432,6 +432,11 @@ int runstate_is_running(void)
     return runstate_check(RUN_STATE_RUNNING);
 }
 
+int runstate_is_prelaunch(void)
+{
+    return runstate_check(RUN_STATE_PRELAUNCH);
+}
+
 StatusInfo *qmp_query_status(Error **errp)
 {
     StatusInfo *info = g_malloc0(sizeof(*info));
-- 
1.7.11.7


-- 
Regards,
Corey Bryant