From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42676)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Vq501-0006ES-MM
	for qemu-devel@nongnu.org; Mon, 09 Dec 2013 12:52:14 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Vq4zs-0008Rz-PS
	for qemu-devel@nongnu.org; Mon, 09 Dec 2013 12:52:05 -0500
Received: from e24smtp03.br.ibm.com ([32.104.18.24]:49778)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Vq4zs-0008Rq-Da
	for qemu-devel@nongnu.org; Mon, 09 Dec 2013 12:51:56 -0500
Received: from /spool/local
	by e24smtp03.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <otubo@linux.vnet.ibm.com>;
	Mon, 9 Dec 2013 15:51:49 -0200
Received: from d24relay03.br.ibm.com (d24relay03.br.ibm.com [9.13.184.25])
	by d24dlp01.br.ibm.com (Postfix) with ESMTP id 9AD1E3520078
	for <qemu-devel@nongnu.org>; Mon,  9 Dec 2013 12:51:37 -0500 (EST)
Received: from d24av04.br.ibm.com (d24av04.br.ibm.com [9.8.31.97])
	by d24relay03.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	rB9HpKwc35258478
	for <qemu-devel@nongnu.org>; Mon, 9 Dec 2013 15:51:20 -0200
Received: from d24av04.br.ibm.com (localhost [127.0.0.1])
	by d24av04.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id
	rB9HpbUe005282
	for <qemu-devel@nongnu.org>; Mon, 9 Dec 2013 15:51:37 -0200
Message-ID: <52A60328.6020102@linux.vnet.ibm.com>
Date: Mon, 09 Dec 2013 15:51:36 -0200
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1386609652-7876-1-git-send-email-otubo@linux.vnet.ibm.com>
	<20131209173330.GG22114@redhat.com>
In-Reply-To: <20131209173330.GG22114@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu
 when option not built in
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: pmoore@redhat.com, lmr@redhat.com, qemu-devel@nongnu.org, anthony@codemonkey.ws



On 12/09/2013 03:33 PM, Daniel P. Berrange wrote:
> On Mon, Dec 09, 2013 at 03:20:52PM -0200, Eduardo Otubo wrote:
>> This option was requested by virt-test team so they can run tests with
>> Qemu and "-sandbox on" set without breaking whole test if host doesn't
>> have support for seccomp in kernel. It covers two possibilities:
>>
>>   1) Host kernel support does not support seccomp, but user installed Qemu
>>      package with sandbox support: Libseccomp will fail -> qemu will fail
>>      nicely and won't stop execution.
>>
>>   2) Host kernel has support but Qemu package wasn't built with sandbox
>>      feature. Qemu will fail nicely and won't stop execution.
>>
>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
>> ---
>>   vl.c | 10 +++-------
>>   1 file changed, 3 insertions(+), 7 deletions(-)
>>
>> diff --git a/vl.c b/vl.c
>> index b0399de..a0806dc 100644
>> --- a/vl.c
>> +++ b/vl.c
>> @@ -967,13 +967,11 @@ static int parse_sandbox(QemuOpts *opts, void *opaque)
>>   #ifdef CONFIG_SECCOMP
>>           if (seccomp_start() < 0) {
>>               qerror_report(ERROR_CLASS_GENERIC_ERROR,
>> -                          "failed to install seccomp syscall filter in the kernel");
>> -            return -1;
>> +                          "failed to install seccomp syscall filter in the kernel, disabling it");
>>           }
>>   #else
>>           qerror_report(ERROR_CLASS_GENERIC_ERROR,
>> -                      "sandboxing request but seccomp is not compiled into this build");
>> -        return -1;
>> +                      "sandboxing request but seccomp is not compiled into this build, disabling it");
>>   #endif
>>       }
>>
>> @@ -3808,9 +3806,7 @@ int main(int argc, char **argv, char **envp)
>>           exit(1);
>>       }
>>
>> -    if (qemu_opts_foreach(qemu_find_opts("sandbox"), parse_sandbox, NULL, 0)) {
>> -        exit(1);
>> -    }
>> +    qemu_opts_foreach(qemu_find_opts("sandbox"), parse_sandbox, NULL, 0);
>>
>>   #ifndef _WIN32
>>       if (qemu_opts_foreach(qemu_find_opts("add-fd"), parse_add_fd, NULL, 1)) {
>
> This change is really dubious from a security POV. If the admin requested
> sandboxing and the host or QEMU build cannot support it, then QEMU really
> *must* exit.

I think an admin must know what he's doing. If he requested sandbox but 
without kernel support he need to step back a little and understand what 
he's doing. This patch won't decrease the security level, IMHO.

>
> IMHO the test suite should probe to see if sandbox is working or not, and
> just not use the "-sandbox on" arg if the host doesn't support it.

But I think this could be done on virt-test as well :)

-- 
Eduardo Otubo
IBM Linux Technology Center