From: Thomas Huth <thuth@redhat.com>
To: Eduardo Otubo <otubo@redhat.com>, qemu-devel@nongnu.org
Cc: berrange@redhat.com, pbonzini@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new seccomp model
Date: Thu, 3 Aug 2017 19:14:02 +0200 [thread overview]
Message-ID: <6ec4e5e8-0eb2-b29e-0b4b-87029af835ab@redhat.com> (raw)
In-Reply-To: <20170728121040.631-7-otubo@redhat.com>
On 28.07.2017 14:10, Eduardo Otubo wrote:
> Adding new documention under docs/ to describe every one and each new
s/documention/documentation/
> option added by the seccomp refactoring patchset.
>
> Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> ---
> docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
> 1 file changed, 31 insertions(+)
> create mode 100644 docs/seccomp.txt
>
> diff --git a/docs/seccomp.txt b/docs/seccomp.txt
> new file mode 100644
> index 0000000000..4b7edba312
> --- /dev/null
> +++ b/docs/seccomp.txt
> @@ -0,0 +1,31 @@
> +QEMU Seccomp system call filter
> +===============================
> +
> +Starting from Qemu version 2.10, the seccomp filter does not work as a
s/Qemu/QEMU/
s/2.10/2.11/
> +whitelist but as a blacklist instead. This method allows safer deploys since
> +only the strictly forbidden system calls will be black-listed and the
> +possibility of breaking any workload is close to zero.
> +
> +The default option (-sandbox on) has a slightly looser security though and the
> +reason is that it shouldn't break any backwards compatibility with previous
> +deploys and command lines already running. But if the intent is to have a
> +better security from this version on, one should make use of the following
> +additional options properly:
> +
> +* [,obsolete=allow]: It allows Qemu to run safely on old system that still
> + relies on old system calls.
> +
> +* [,elevateprivileges=deny|allow|children]: It allows or denies Qemu process
> + to elevate its privileges by blacklisting all set*uid|gid system calls. The
> + 'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
> + (forls and execs) to run unprivileged.
s/forls/forks/
> +* [,spawn=deny]: It blacklists fork and execve syste calls, avoiding Qemu to
> + spawn new threads or processes.
> +
> +* [,resourcecontrol=deny]: It blacklists all process affinity and scheduler
> + priority system calls to avoid any bigger of the process.
"to avoid any bigger" sounds strange to me. Maybe rather something like:
"to avoid that the process can increase its amount of allowed resource
consumption" or something similar?
Thomas
prev parent reply other threads:[~2017-08-03 17:14 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-28 12:10 [Qemu-devel] [PATCH v3 0/6] seccomp: feature refactoring Eduardo Otubo
2017-07-28 12:10 ` [Qemu-devel] [PATCH v3 1/6] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-08-02 12:25 ` Daniel P. Berrange
2017-08-03 16:54 ` Thomas Huth
2017-08-11 9:51 ` Eduardo Otubo
2017-08-11 10:10 ` Daniel P. Berrange
2017-07-28 12:10 ` [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line Eduardo Otubo
2017-08-02 12:33 ` Daniel P. Berrange
2017-08-02 12:38 ` Daniel P. Berrange
2017-08-11 9:12 ` Eduardo Otubo
2017-08-11 9:25 ` Daniel P. Berrange
2017-08-11 9:49 ` Eduardo Otubo
2017-07-28 12:10 ` [Qemu-devel] [PATCH v3 3/6] seccomp: add elevateprivileges " Eduardo Otubo
2017-08-02 12:37 ` Daniel P. Berrange
2017-08-03 16:59 ` Thomas Huth
2017-07-28 12:10 ` [Qemu-devel] [PATCH v3 4/6] seccomp: add spawn " Eduardo Otubo
2017-07-28 12:10 ` [Qemu-devel] [PATCH v3 5/6] seccomp: add resourcecontrol " Eduardo Otubo
2017-07-28 12:10 ` [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new seccomp model Eduardo Otubo
2017-08-02 12:39 ` Daniel P. Berrange
2017-08-03 17:14 ` Thomas Huth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6ec4e5e8-0eb2-b29e-0b4b-87029af835ab@redhat.com \
--to=thuth@redhat.com \
--cc=berrange@redhat.com \
--cc=otubo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).