From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33107) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VM1hr-0000xv-Gi for qemu-devel@nongnu.org; Tue, 17 Sep 2013 16:17:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VM1hi-0001mf-BE for qemu-devel@nongnu.org; Tue, 17 Sep 2013 16:17:07 -0400 Received: from e24smtp04.br.ibm.com ([32.104.18.25]:46512) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VM1hh-0001mK-Gl for qemu-devel@nongnu.org; Tue, 17 Sep 2013 16:16:58 -0400 Received: from /spool/local by e24smtp04.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 17 Sep 2013 17:16:52 -0300 Received: from d24relay01.br.ibm.com (d24relay01.br.ibm.com [9.8.31.16]) by d24dlp02.br.ibm.com (Postfix) with ESMTP id A345D1DC006C for ; Tue, 17 Sep 2013 16:16:50 -0400 (EDT) Received: from d24av01.br.ibm.com (d24av01.br.ibm.com [9.8.31.91]) by d24relay01.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r8HKBn5d2039986 for ; Tue, 17 Sep 2013 17:11:50 -0300 Received: from d24av01.br.ibm.com (localhost [127.0.0.1]) by d24av01.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id r8HKGnKv016437 for ; Tue, 17 Sep 2013 17:16:50 -0300 Message-ID: <5238B8B1.6070506@linux.vnet.ibm.com> Date: Tue, 17 Sep 2013 17:16:49 -0300 From: Eduardo Otubo MIME-Version: 1.0 References: <1378495308-24560-1-git-send-email-otubo@linux.vnet.ibm.com> <523852A3.3070207@linux.vnet.ibm.com> <20130917130606.GA2812@redhat.com> <2976992.k7Cxs3D50a@sifl> <52388DF1.4010307@linux.vnet.ibm.com> <5238AAC8.4060205@linux.vnet.ibm.com> In-Reply-To: <5238AAC8.4060205@linux.vnet.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for blacklist List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Corey Bryant Cc: Paul Moore , qemu-devel@nongnu.org On 09/17/2013 04:17 PM, Corey Bryant wrote: > > > On 09/17/2013 01:14 PM, Eduardo Otubo wrote: >> >> >> On 09/17/2013 11:43 AM, Paul Moore wrote: >>> On Tuesday, September 17, 2013 02:06:06 PM Daniel P. Berrange wrote: >>>> On Tue, Sep 17, 2013 at 10:01:23AM -0300, Eduardo Otubo wrote: >>>> >>>>> Paul, what exactly are you planning to add to libvirt? I'm not a big >>>>> fan of using qemu command line to pass syscalls for blacklist as >>>>> arguments, but I can't see other way to avoid problems (like -net >>>>> bridge / -net tap) from happening. >>> >>> At present, and as far as I'm concerned pretty much everything is open >>> for >>> discussion, the code works similar to the libvirt network filters. >>> You create >>> a separate XML configuration file which defines the filter and you >>> reference >>> that filter from the domain's XML configuration. When a QEMU/KVM or >>> LXC based >>> domain starts it uses libseccomp to create the seccomp filter and then >>> loads >>> it into the kernel after the fork but before the domain is exec'd. >> >> Clever approach. I tihnk a possible way to do this is something like: >> >> -sandbox >> -on[,strict=][,whitelist=qemu_whitelist.conf][,blacklist=qemu_blacklist.conf] >> >> >> >> where: >> >> [,whitelist=qemu_whitelist.conf] will override default whitelist filter >> [,blacklist=blacklist.conf] will override default blacklist filter >> >> But when we add seccomp support for qemu on libvirt, we make sure to >> just add -sandbox off and use Paul's approach. >> >> Is that a reasonable approach? What do you think? >> > > QEMU wouldn't require any changes for the approach Paul describes. The > QEMU process that is exec'd by libvirt would be constrained by the > filter that libvirt installed. > Yes, that is correct. But I'm thinking about the case when Qemu is run stand-alone, without libvirt. There must be a way to configure it without using a pre configured filter from libvirt. -- Eduardo Otubo IBM Linux Technology Center