From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:54344)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1UWvzg-0006I2-Nb
	for qemu-devel@nongnu.org; Mon, 29 Apr 2013 17:52:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1UWvze-0001xz-LM
	for qemu-devel@nongnu.org; Mon, 29 Apr 2013 17:52:20 -0400
Received: from e8.ny.us.ibm.com ([32.97.182.138]:35599)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1UWvze-0001wV-Gi
	for qemu-devel@nongnu.org; Mon, 29 Apr 2013 17:52:18 -0400
Received: from /spool/local
	by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Mon, 29 Apr 2013 17:52:14 -0400
Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237])
	by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 59097C90028
	for <qemu-devel@nongnu.org>; Mon, 29 Apr 2013 17:52:11 -0400 (EDT)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216])
	by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	r3TLqBjb345612
	for <qemu-devel@nongnu.org>; Mon, 29 Apr 2013 17:52:11 -0400
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1])
	by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	r3TLqB3T003685
	for <qemu-devel@nongnu.org>; Mon, 29 Apr 2013 18:52:11 -0300
Message-ID: <517EEB8A.7040700@linux.vnet.ibm.com>
Date: Mon, 29 Apr 2013 17:52:10 -0400
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <517AC9E5.3050204@linux.vnet.ibm.com> <7515044.dYPbKXmJQB@sifl>
In-Reply-To: <7515044.dYPbKXmJQB@sifl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC] Continuous work on sandboxing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Moore <pmoore@redhat.com>
Cc: qemu-devel@nongnu.org, Eric Paris <eparis@redhat.com>, Eduardo Otubo <otubo@linux.vnet.ibm.com>



On 04/26/2013 05:07 PM, Paul Moore wrote:
> [snip]
>
>> >3. Debugging and/or learning mode - third party libraries still have the
>> >problem of interfering in the Qemu's signal mask. According to some
>> >previous discussions, perhaps patch all external libraries that mass up
>> >with this mask (spice, for example) is a way to solve it. But not sure
>> >if it worth the time spent. Would like to hear you guys.
> I think patching all the libraries is a losing battle, I think we need to
> pursue alternate debugging techniques.
>
> -- paul moore security and virtualization @ redhat
>

I agree.  It would be nice to have some sort of learning mode that 
reported all denied syscalls on a single run, but signal handlers 
doesn't seem like the right way.  Maybe we could improve on this 
approach, since it never gained traction: https://lkml.org/lkml/2013/1/7/313

At least we can get a single denied syscall at a time today via the 
audit log that the kernel issues.  Eduardo, you may want to see if 
there's a good place to document that for QEMU so that people know where 
to look.

-- 
Regards,
Corey Bryant