From: Corey Bryant <coreyb@linux.vnet.ibm.com>
To: Paul Moore <pmoore@redhat.com>
Cc: qemu-devel@nongnu.org, anthony@codemonkey.ws,
Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCHv3 1/3] seccomp: adding blacklist support
Date: Thu, 10 Oct 2013 07:33:42 -0400 [thread overview]
Message-ID: <52569096.2050800@linux.vnet.ibm.com> (raw)
In-Reply-To: <1559837.J1S2UnvGH4@sifl>
On 10/09/2013 05:36 PM, Paul Moore wrote:
> On Tuesday, October 08, 2013 09:42:24 PM Eduardo Otubo wrote:
>> v3: The "-netdev tap" option is checked in the vl.c file during the
>> process of the command line argument list. It sets tap_enabled to true
>> or false according to the configuration found. Later at the seccomp
>> filter installation, this value is checked wheter to install or not this
>> feature.
>
> I like the idea of slowly making the QEMU syscall filter dependent on the
> runtime configuration. With that in mind, I wonder if we should have a more
> general purpose API in include/sysemu/seccomp.h that allows QEMU to indicate
> to the the QEMU/seccomp code that a particular feature is enabled.
>
> Maybe something like this:
>
> #define SCMP_FEAT_TAP ...
>
> int seccomp_feature_enable(int feature);
This is a good approach, and then the blacklist can vary based on what
features are enabled.
--
Regards,
Corey Bryant
>
> One more comment below.
>
>> Adding a system call blacklist right before the vcpus starts. This
>> filter is composed by the system calls that can't be executed after the
>> guests are up. This list should be refined as whitelist is, with as much
>> testing as we can do using virt-test.
>>
>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
>> ---
>> include/sysemu/seccomp.h | 6 ++++-
>> qemu-seccomp.c | 64
>> +++++++++++++++++++++++++++++++++++++++--------- vl.c |
>> 21 +++++++++++++++-
>> 3 files changed, 77 insertions(+), 14 deletions(-)
>>
>> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
>> index 1189fa2..9dc7e52 100644
>> --- a/include/sysemu/seccomp.h
>> +++ b/include/sysemu/seccomp.h
>> @@ -15,8 +15,12 @@
>> #ifndef QEMU_SECCOMP_H
>> #define QEMU_SECCOMP_H
>>
>> +#define WHITELIST 0
>> +#define BLACKLIST 1
>
> Should these #defines be namespaced in some way, e.g. SCMP_LIST_BLACKLIST?
>
>> #include <seccomp.h>
>> #include "qemu/osdep.h"
>>
>> -int seccomp_start(void);
>> +int seccomp_start(int list_type);
>> +
>> #endif
>
>
next prev parent reply other threads:[~2013-10-10 11:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-09 0:42 [Qemu-devel] [PATCHv3 0/3] seccomp: adding blacklist support with command line Eduardo Otubo
2013-10-09 0:42 ` [Qemu-devel] [PATCHv3 1/3] seccomp: adding blacklist support Eduardo Otubo
2013-10-09 2:05 ` Eric Blake
2013-10-09 13:11 ` Eduardo Otubo
2013-10-09 15:19 ` Corey Bryant
2013-10-09 21:36 ` Paul Moore
2013-10-10 11:33 ` Corey Bryant [this message]
2013-10-09 0:42 ` [Qemu-devel] [PATCHv3 2/3] seccomp: adding command line support for blacklist Eduardo Otubo
2013-10-09 14:40 ` Eduardo Otubo
2013-10-09 0:42 ` [Qemu-devel] [PATCHv3 3/3] seccomp: general fixes Eduardo Otubo
2013-10-09 21:38 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52569096.2050800@linux.vnet.ibm.com \
--to=coreyb@linux.vnet.ibm.com \
--cc=anthony@codemonkey.ws \
--cc=otubo@linux.vnet.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).