From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45395) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VUEVC-0001bj-FP for qemu-devel@nongnu.org; Thu, 10 Oct 2013 07:34:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VUEV3-0006aK-Hx for qemu-devel@nongnu.org; Thu, 10 Oct 2013 07:33:58 -0400 Received: from e7.ny.us.ibm.com ([32.97.182.137]:44105) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VUEV3-0006a7-EI for qemu-devel@nongnu.org; Thu, 10 Oct 2013 07:33:49 -0400 Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 10 Oct 2013 07:33:48 -0400 Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 01695C90043 for ; Thu, 10 Oct 2013 07:33:45 -0400 (EDT) Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216]) by b01cxnp22035.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r9ABXjNl58196106 for ; Thu, 10 Oct 2013 11:33:45 GMT Received: from d01av02.pok.ibm.com (loopback [127.0.0.1]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r9ABXh7b026542 for ; Thu, 10 Oct 2013 08:33:45 -0300 Message-ID: <52569096.2050800@linux.vnet.ibm.com> Date: Thu, 10 Oct 2013 07:33:42 -0400 From: Corey Bryant MIME-Version: 1.0 References: <1381279346-23676-1-git-send-email-otubo@linux.vnet.ibm.com> <1381279346-23676-2-git-send-email-otubo@linux.vnet.ibm.com> <1559837.J1S2UnvGH4@sifl> In-Reply-To: <1559837.J1S2UnvGH4@sifl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCHv3 1/3] seccomp: adding blacklist support List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paul Moore Cc: qemu-devel@nongnu.org, anthony@codemonkey.ws, Eduardo Otubo On 10/09/2013 05:36 PM, Paul Moore wrote: > On Tuesday, October 08, 2013 09:42:24 PM Eduardo Otubo wrote: >> v3: The "-netdev tap" option is checked in the vl.c file during the >> process of the command line argument list. It sets tap_enabled to true >> or false according to the configuration found. Later at the seccomp >> filter installation, this value is checked wheter to install or not this >> feature. > > I like the idea of slowly making the QEMU syscall filter dependent on the > runtime configuration. With that in mind, I wonder if we should have a more > general purpose API in include/sysemu/seccomp.h that allows QEMU to indicate > to the the QEMU/seccomp code that a particular feature is enabled. > > Maybe something like this: > > #define SCMP_FEAT_TAP ... > > int seccomp_feature_enable(int feature); This is a good approach, and then the blacklist can vary based on what features are enabled. -- Regards, Corey Bryant > > One more comment below. > >> Adding a system call blacklist right before the vcpus starts. This >> filter is composed by the system calls that can't be executed after the >> guests are up. This list should be refined as whitelist is, with as much >> testing as we can do using virt-test. >> >> Signed-off-by: Eduardo Otubo >> --- >> include/sysemu/seccomp.h | 6 ++++- >> qemu-seccomp.c | 64 >> +++++++++++++++++++++++++++++++++++++++--------- vl.c | >> 21 +++++++++++++++- >> 3 files changed, 77 insertions(+), 14 deletions(-) >> >> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h >> index 1189fa2..9dc7e52 100644 >> --- a/include/sysemu/seccomp.h >> +++ b/include/sysemu/seccomp.h >> @@ -15,8 +15,12 @@ >> #ifndef QEMU_SECCOMP_H >> #define QEMU_SECCOMP_H >> >> +#define WHITELIST 0 >> +#define BLACKLIST 1 > > Should these #defines be namespaced in some way, e.g. SCMP_LIST_BLACKLIST? > >> #include >> #include "qemu/osdep.h" >> >> -int seccomp_start(void); >> +int seccomp_start(int list_type); >> + >> #endif > >