From: Corey Bryant <coreyb@linux.vnet.ibm.com>
To: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Cc: pmoore@redhat.com, Stefan Hajnoczi <stefanha@gmail.com>,
wad@chromium.org, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist
Date: Tue, 03 Sep 2013 17:08:11 -0400 [thread overview]
Message-ID: <52264FBB.6070706@linux.vnet.ibm.com> (raw)
In-Reply-To: <5226410A.6070705@linux.vnet.ibm.com>
On 09/03/2013 04:05 PM, Eduardo Otubo wrote:
>
>
> On 09/03/2013 03:02 PM, Corey Bryant wrote:
>>
>>
>> On 08/30/2013 10:21 AM, Eduardo Otubo wrote:
>>>
>>>
>>> On 08/29/2013 05:34 AM, Stefan Hajnoczi wrote:
>>>> On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
>>>>> Now there's a second whitelist, right before the vcpu starts. The
>>>>> second
>>>>> whitelist is the same as the first one, except for exec() and
>>>>> select().
>>>>
>>>> -netdev tap,downscript=/path/to/script requires exec() in the QEMU
>>>> shutdown code path. Will this work with seccomp?
>>>
>>> I actually don't know, but I'll test that as well. Can you run a test
>>> with this patch and -netdev? I mean, if you're pointing that out you
>>> might have a scenario already setup, right?
>>>
>>> Thanks!
>>>
>>
>> This uses exec() in net/tap.c.
>>
>> I think if we're going to introduce a sandbox environment that restricts
>> existing QEMU behavior, then we have to introduce a new argument to the
>> -sandbox option. So for example, "-sandbox on" would continue to use
>> the whitelist that allows everything in QEMU to work (or at least it
>> should :). And something like "-sandbox on,strict=on" would use the
>> whitelist + blacklist.
>
> I think tihs is very reasonable. I'll working on implementing this
> options for v2.
>
>>
>> If this is acceptable though, then I wonder how we could go about adding
>> new syscalls to the blacklist in future QEMU releases without regressing
>> "-sandbox on,strict=on".
>>
>> By the way, are any test buckets running regularly with -sandbox on?
>
> I am running tests with virt-test. Need to come up with a script that
> checks for unused syscalls, though.
>
Would it be possible to submit a patch to turn on -sandbox for some/all
QEMU virt-test tests? That would enable regular regression runs that
aren't dependent on you. Plus it would be a good proof point of the
QEMU seccomp support if the tests run successfully.
--
Regards,
Corey Bryant
next prev parent reply other threads:[~2013-09-03 21:08 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-29 1:04 [Qemu-devel] [PATCH] seccomp: adding a second whitelist Eduardo Otubo
2013-08-29 8:34 ` Stefan Hajnoczi
2013-08-29 8:56 ` Paolo Bonzini
2013-08-30 14:22 ` Eduardo Otubo
2013-08-30 14:21 ` Eduardo Otubo
2013-08-30 15:23 ` Stefan Hajnoczi
2013-08-30 15:42 ` Paul Moore
2013-09-02 9:05 ` Stefan Hajnoczi
2013-09-03 18:02 ` Corey Bryant
2013-09-03 18:08 ` Corey Bryant
2013-09-03 18:21 ` Paul Moore
2013-09-03 18:23 ` Corey Bryant
2013-09-03 20:07 ` Eduardo Otubo
2013-09-03 21:49 ` Paul Moore
2013-09-03 20:05 ` Eduardo Otubo
2013-09-03 21:08 ` Corey Bryant [this message]
2013-08-29 12:56 ` Paul Moore
2013-08-30 14:27 ` Eduardo Otubo
2013-08-30 15:32 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52264FBB.6070706@linux.vnet.ibm.com \
--to=coreyb@linux.vnet.ibm.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).