From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40598) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VJnYY-0001i8-W6 for qemu-devel@nongnu.org; Wed, 11 Sep 2013 12:46:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VJnYQ-0004oZ-1H for qemu-devel@nongnu.org; Wed, 11 Sep 2013 12:46:18 -0400 Received: from e39.co.us.ibm.com ([32.97.110.160]:60401) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VJnYP-0004oT-Qo for qemu-devel@nongnu.org; Wed, 11 Sep 2013 12:46:09 -0400 Received: from /spool/local by e39.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 11 Sep 2013 10:46:08 -0600 Received: from d03relay03.boulder.ibm.com (d03relay03.boulder.ibm.com [9.17.195.228]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 294F919D8045 for ; Wed, 11 Sep 2013 10:46:05 -0600 (MDT) Received: from d03av05.boulder.ibm.com (d03av05.boulder.ibm.com [9.17.195.85]) by d03relay03.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r8BGjxYW300866 for ; Wed, 11 Sep 2013 10:45:59 -0600 Received: from d03av05.boulder.ibm.com (loopback [127.0.0.1]) by d03av05.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r8BGjwoc017015 for ; Wed, 11 Sep 2013 10:45:59 -0600 Message-ID: <52309E42.2080802@linux.vnet.ibm.com> Date: Wed, 11 Sep 2013 12:45:54 -0400 From: Corey Bryant MIME-Version: 1.0 References: <1378495308-24560-1-git-send-email-otubo@linux.vnet.ibm.com> <1378495308-24560-3-git-send-email-otubo@linux.vnet.ibm.com> In-Reply-To: <1378495308-24560-3-git-send-email-otubo@linux.vnet.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for blacklist List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Eduardo Otubo Cc: pmoore@redhat.com, qemu-devel@nongnu.org On 09/06/2013 03:21 PM, Eduardo Otubo wrote: > New command line options for the seccomp blacklist feature: > > $ qemu -sandbox on[,strict=] > > The strict parameter will turn on or off the new system call blacklist I mentioned this before but I'll say it again since I think it needs to be discussed. Since this regresses support (it'll prevent -net bridge and -net tap from using execv) the concern I have with the strict=on|off option is whether or not we will have the flexibility to modify the blacklist once QEMU is released with this support. Of course we should be able to add more syscalls to the blacklist as long as they don't regress QEMU functionality. But if we want to add a syscall that does regress QEMU functionality, I think we'd have to add a new command line option, which doesn't seem desirable. So a more flexible approach may be necessary. Maybe the blacklist should be passed on the command line, which would enable it to be defined by libvirt and passed to QEMU. I know Paul is working on something for libvirt so maybe that answers this question. > > Signed-off-by: Eduardo Otubo > --- > qemu-options.hx | 8 +++++--- > vl.c | 11 ++++++++++- > 2 files changed, 15 insertions(+), 4 deletions(-) > > diff --git a/qemu-options.hx b/qemu-options.hx > index d15338e..05485e1 100644 > --- a/qemu-options.hx > +++ b/qemu-options.hx > @@ -2978,13 +2978,15 @@ Old param mode (ARM only). > ETEXI > > DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > - "-sandbox Enable seccomp mode 2 system call filter (default 'off').\n", > + "-sandbox Enable seccomp mode 2 system call filter (default 'off').\n" > + "-sandbox on[,strict=]\n" > + " Enable seccomp mode 2 system call second level filter (default 'off').\n", Does this need to mention the QEMU features restricted by the blacklist? > QEMU_ARCH_ALL) > STEXI > -@item -sandbox @var{arg} > +@item -sandbox @var{arg}[,strict=@var{value}] > @findex -sandbox > Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will > -disable it. The default is 'off'. > +disable it. The default is 'off'. 'strict=on' will enable second level filter (default is 'off'). And here too? > ETEXI > > DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig, > diff --git a/vl.c b/vl.c > index 02f7486..909f685 100644 > --- a/vl.c > +++ b/vl.c > @@ -329,6 +329,9 @@ static QemuOptsList qemu_sandbox_opts = { > { > .name = "enable", > .type = QEMU_OPT_BOOL, > + },{ > + .name = "strict", > + .type = QEMU_OPT_STRING, > }, > { /* end of list */ } > }, > @@ -1031,6 +1034,7 @@ static int bt_parse(const char *opt) > > static int parse_sandbox(QemuOpts *opts, void *opaque) > { > + const char * strict_value = NULL; > /* FIXME: change this to true for 1.3 */ > if (qemu_opt_get_bool(opts, "enable", false)) { > #ifdef CONFIG_SECCOMP > @@ -1040,7 +1044,12 @@ static int parse_sandbox(QemuOpts *opts, void *opaque) > return -1; > } > > - enable_blacklist = true; > + strict_value = qemu_opt_get(opts, "strict"); > + if (strict_value) { > + if (!strcmp(strict_value, "on")) { > + enable_blacklist = true; > + } > + } > #else > qerror_report(ERROR_CLASS_GENERIC_ERROR, > "sandboxing request but seccomp is not compiled into this build"); > -- Regards, Corey Bryant