From: Lei Li <lilei@linux.vnet.ibm.com>
To: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Cc: pmoore@redhat.com, coreyb@linux.vnet.ibm.com, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCHv2 1/3] seccomp: adding blacklist support
Date: Mon, 09 Sep 2013 11:49:56 +0800 [thread overview]
Message-ID: <522D4564.3060100@linux.vnet.ibm.com> (raw)
In-Reply-To: <1378495308-24560-2-git-send-email-otubo@linux.vnet.ibm.com>
On 09/07/2013 03:21 AM, Eduardo Otubo wrote:
> Adding a system call blacklist right before the vcpus starts. This filter is
> composed by the system calls that can't be executed after the guests are up.
> This list should be refined as the whitelist is, with as much testing as we can
> do using virt-test.
>
> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
> ---
> include/sysemu/seccomp.h | 5 ++++-
> qemu-seccomp.c | 57 ++++++++++++++++++++++++++++++++++++++----------
> vl.c | 16 +++++++++++++-
> 3 files changed, 64 insertions(+), 14 deletions(-)
>
> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
> index 1189fa2..551ad12 100644
> --- a/include/sysemu/seccomp.h
> +++ b/include/sysemu/seccomp.h
> @@ -15,8 +15,11 @@
> #ifndef QEMU_SECCOMP_H
> #define QEMU_SECCOMP_H
>
> +#define WHITELIST 0
> +#define BLACKLIST 1
> +
> #include <seccomp.h>
> #include "qemu/osdep.h"
>
> -int seccomp_start(void);
> +int seccomp_start(int state);
> #endif
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 37d38f8..5e85eb5 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -21,7 +21,7 @@ struct QemuSeccompSyscall {
> uint8_t priority;
> };
>
> -static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> +static const struct QemuSeccompSyscall whitelist[] = {
> { SCMP_SYS(timer_settime), 255 },
> { SCMP_SYS(timer_gettime), 254 },
> { SCMP_SYS(futex), 253 },
> @@ -221,32 +221,65 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(arch_prctl), 240 }
> };
>
> -int seccomp_start(void)
> +static const struct QemuSeccompSyscall blacklist[] = {
> + { SCMP_SYS(execve), 255 }
> +};
> +
> +static int process_list(scmp_filter_ctx *ctx,
> + const struct QemuSeccompSyscall *list,
> + unsigned int list_size, uint32_t action)
> {
> int rc = 0;
> unsigned int i = 0;
> - scmp_filter_ctx ctx;
>
> - ctx = seccomp_init(SCMP_ACT_KILL);
> - if (ctx == NULL) {
> - goto seccomp_return;
> - }
> + for (i = 0; i < list_size; i++) {
> + rc = seccomp_rule_add(ctx, action, list[i].num, 0);
> + if (rc < 0) {
> + goto seccomp_return;
> + }
>
> - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {
> - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);
> + rc = seccomp_syscall_priority(ctx, list[i].num,
> + list[i].priority);
> if (rc < 0) {
> goto seccomp_return;
> }
> - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,
> - seccomp_whitelist[i].priority);
> + }
> +
> +seccomp_return:
> + return rc;
> +}
> +
> +int seccomp_start(int list_type)
> +{
> + int rc = 0;
> + scmp_filter_ctx ctx;
> +
> + switch (list_type) {
> + case WHITELIST:
> + ctx = seccomp_init(SCMP_ACT_KILL);
> + if (ctx == NULL) {
> + goto seccomp_return;
> + }
> + rc = process_list(ctx, whitelist, ARRAY_SIZE(whitelist), SCMP_ACT_ALLOW);
> if (rc < 0) {
> goto seccomp_return;
> }
> + break;
> + case BLACKLIST:
> + ctx = seccomp_init(SCMP_ACT_ALLOW);
> + if (ctx == NULL) {
> + goto seccomp_return;
> + }
> + rc = process_list(ctx, blacklist, ARRAY_SIZE(blacklist), SCMP_ACT_KILL);
> + break;
> + default:
> + rc = -1;
> + goto seccomp_return;
> }
>
> rc = seccomp_load(ctx);
>
> - seccomp_return:
> +seccomp_return:
> seccomp_release(ctx);
> return rc;
> }
> diff --git a/vl.c b/vl.c
> index b4b119a..02f7486 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -179,6 +179,7 @@ int main(int argc, char **argv)
> #define MAX_VIRTIO_CONSOLES 1
> #define MAX_SCLP_CONSOLES 1
>
> +static bool enable_blacklist = false;
> static const char *data_dir[16];
> static int data_dir_idx;
> const char *bios_name = NULL;
> @@ -1033,11 +1034,13 @@ static int parse_sandbox(QemuOpts *opts, void *opaque)
> /* FIXME: change this to true for 1.3 */
> if (qemu_opt_get_bool(opts, "enable", false)) {
> #ifdef CONFIG_SECCOMP
> - if (seccomp_start() < 0) {
> + if (seccomp_start(WHITELIST) < 0) {
> qerror_report(ERROR_CLASS_GENERIC_ERROR,
> "failed to install seccomp syscall filter in the kernel");
> return -1;
> }
> +
> + enable_blacklist = true;
> #else
> qerror_report(ERROR_CLASS_GENERIC_ERROR,
> "sandboxing request but seccomp is not compiled into this build");
> @@ -1765,12 +1768,23 @@ void vm_state_notify(int running, RunState state)
> }
> }
>
> +static void install_seccomp_blacklist(void)
> +{
> + if (enable_blacklist) {
> + if (seccomp_start(BLACKLIST) < 0) {
> + qerror_report(ERROR_CLASS_GENERIC_ERROR,
> + "failed to install seccomp syscall second level filter in the kernel");
> + }
> + }
> +}
> +
> void vm_start(void)
> {
> if (!runstate_is_running()) {
> cpu_enable_ticks();
> runstate_set(RUN_STATE_RUNNING);
> vm_state_notify(1, RUN_STATE_RUNNING);
> + install_seccomp_blacklist();
Hi Eduardo,
Looks good to me, especially the implementation of blacklist than the previous
one that the second whitelist is the same as the first one except that two
system calls.
Just one question:
If the seccomp_start(WHITELIST) failed, it will lead to the QEMU exit(1).
But seems that if this seccomp_start(BLACKLIST) failed, it won't, just report
an error that the second level filter in kernel failed to install.
Is this the expected behaver?
> resume_all_vcpus();
> monitor_protocol_event(QEVENT_RESUME, NULL);
> }
--
Lei
next prev parent reply other threads:[~2013-09-09 3:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-06 19:21 [Qemu-devel] [PATCHv2 0/3] seccomp: adding blacklist support with command line Eduardo Otubo
2013-09-06 19:21 ` [Qemu-devel] [PATCHv2 1/3] seccomp: adding blacklist support Eduardo Otubo
2013-09-09 3:49 ` Lei Li [this message]
2013-09-11 16:29 ` Corey Bryant
2013-09-06 19:21 ` [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for blacklist Eduardo Otubo
2013-09-11 16:45 ` Corey Bryant
2013-09-11 16:49 ` Daniel P. Berrange
2013-09-17 13:01 ` Eduardo Otubo
2013-09-17 13:06 ` Daniel P. Berrange
2013-09-17 14:43 ` Paul Moore
2013-09-17 17:14 ` Eduardo Otubo
2013-09-17 18:08 ` Eduardo Otubo
2013-09-17 19:17 ` Corey Bryant
2013-09-17 20:16 ` Eduardo Otubo
2013-09-18 7:38 ` Daniel P. Berrange
2013-09-18 15:53 ` Paul Moore
2013-09-18 15:59 ` Daniel P. Berrange
2013-09-18 16:19 ` Paul Moore
2013-09-18 16:32 ` Daniel P. Berrange
2013-09-18 17:24 ` Corey Bryant
2013-09-18 17:37 ` Paul Moore
2013-09-18 7:35 ` Daniel P. Berrange
2013-09-06 19:21 ` [Qemu-devel] [PATCHv3 3/3] seccomp: general fixes Eduardo Otubo
2013-09-11 16:56 ` Corey Bryant
2013-10-09 0:40 ` Eduardo Otubo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=522D4564.3060100@linux.vnet.ibm.com \
--to=lilei@linux.vnet.ibm.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).