Re: [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by default

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Paul Moore <pmoore@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: coreyb@linux.vnet.ibm.com, qemu-devel <qemu-devel@nongnu.org>,
	Anthony Liguori <anthony@codemonkey.ws>,
	Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by default
Date: Fri, 22 Nov 2013 09:38:50 -0500	[thread overview]
Message-ID: <6388825.6pMDJVlAMn@sifl> (raw)
In-Reply-To: <20131122103441.GA24388@stefanha-thinkpad.redhat.com>

On Friday, November 22, 2013 11:34:41 AM Stefan Hajnoczi wrote:
> IMO this seccomp approach is doomed since QEMU does not practice
> privilege separation.  QEMU is monolithic so it's really hard to create
> a meaningful sets of system calls.

I'm a big fan of decomposing QEMU, but based on previous discussions there 
seems to be a lot of fear from the core QEMU folks around decomposition; 
enough that I'm not sure it is worth the time and effort at this point to 
pursue it.  While I agree that a decomposed QEMU would be able to make better 
use of syscall filtering (and LSM/SELinux protection, and ...) I don't believe 
it means syscall filtering is a complete lost cause with a monolithic QEMU.  
Any improvement you can make, no matter how small, is still and improvement.

> To avoid breaking stuff you need to be too liberal, defeating the purpose of
> seccomp.

Even if you can only disable a few syscalls you are still better off than you 
were before.  Could it be done better, of course it could, but it doesn't mean 
you shouldn't try for some benefit.

> For each QEMU command-line there may be a different set of syscalls that
> should be allowed/forbidden.

I'm not sure if you missed it or not, but I had an email exchange with Eduardo 
on this list about making the syscall whitelist a bit more "intelligent" and 
dependent on what functionality was enabled for a given QEMU instance.  This 
should help a bit with the problems you are describing.

> The existing approach clearly doesn't support the full range of options
> that users specify on the command-line.

Bugs.  It will get fixed in time with more testing/debugging.  Eduardo is 
working on improving the testing and RH's QA folks are working hard to shake 
out the bugs too.  I just posted another bug fix patch to the whitelist a few 
days ago.

> So I guess the options are:
> 
> 1. Don't make it the default since it breaks stuff but use it for very
> specific scenarios (e.g. libvirt use cases that have been well tested).

In my opinion, I think it was probably a bit premature to make enable it by 
default, but at some point in the future I think we do need to do this.

> 2. Provide a kind of syscall set for various QEMU options and apply the
> union of them at launch.  This still seems fragile but in theory it
> could work.

This is what I was discussing above.  I think this is likely the next big 
improvement.

-- 
paul moore
security and virtualization @ redhat

next prev parent reply	other threads:[~2013-11-22 14:39 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-22 11:21 [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by default Eduardo Otubo
2013-10-22 13:00 ` Anthony Liguori
2013-10-23 14:42   ` Eduardo Otubo
2013-10-30 10:04     ` Stefan Hajnoczi
2013-11-21 15:14       ` Paolo Bonzini
2013-11-21 15:48         ` Paul Moore
2013-11-21 16:22           ` Eduardo Otubo
2013-11-22 10:39           ` Stefan Hajnoczi
2013-11-22 14:44             ` Paul Moore
2013-11-22 15:48               ` Stefan Hajnoczi
2013-11-22 16:00                 ` Paul Moore
2013-12-04  9:39                   ` Stefan Hajnoczi
2013-12-04 13:21                     ` Eduardo Otubo
2013-12-04 14:46                       ` Corey Bryant
2013-12-05 13:15                       ` Stefan Hajnoczi
2013-12-05 16:12                         ` Will Drewry
2013-12-06  9:13                           ` Stefan Hajnoczi
2013-12-06 15:40                             ` Will Drewry
2013-12-07  8:13                               ` Stefan Hajnoczi
2013-11-22 10:34       ` Stefan Hajnoczi
2013-11-22 14:38         ` Paul Moore [this message]
2013-12-04 13:17           ` Eduardo Otubo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6388825.6pMDJVlAMn@sifl \
    --to=pmoore@redhat.com \
    --cc=anthony@codemonkey.ws \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=otubo@linux.vnet.ibm.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).