From: Paul Moore <pmoore@redhat.com>
To: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Cc: qemu-devel@nongnu.org, Eric Paris <eparis@redhat.com>
Subject: Re: [Qemu-devel] [RFC] Continuous work on sandboxing
Date: Fri, 26 Apr 2013 17:07:50 -0400 [thread overview]
Message-ID: <7515044.dYPbKXmJQB@sifl> (raw)
In-Reply-To: <517AC9E5.3050204@linux.vnet.ibm.com>
On Friday, April 26, 2013 03:39:33 PM Eduardo Otubo wrote:
> Hello folks,
>
> Resuming the sandboxing work, I'd like to ask for comments on the
> ideias I have:
>
> 1. Reduce whitelist to the optimal subset: Run various tests on Qemu
> with different configurations to reduce to the smallest syscall set
> possible; test and send a patch weekly (this is already being performed
> and a patch is on the way)
Is this hooked into a testing framework? While it is always nice to have
someone verify the correctness, having a simple tool/testsuite what can run
through things on a regular basis is even better.
Also, looking a bit further ahead, it might be interesting to look at removing
some of the arch dependent stuff in qemu-seccomp.c. The latest version of
libseccomp should remove the need for many, if not all, of the arch specific
#ifdefs and the next version of libseccomp will add support for x32 and ARM.
> 2. Introduce a second whitelist - the whitelist should be defined in
> libvirt and passed on to qemu or just pre defined in Qemu? Also remove
> execve() and avoid open() and socket() and its parameters ...
If I'm understanding you correctly, I think what you'll want is a second
*blacklist*. We talked about this previously; we currently have a single
whitelist, and considering how seccomp works, you can really only further
restrict things after you install a whitelist into the kernel (hence the
blacklist).
> 3. Debugging and/or learning mode - third party libraries still have the
> problem of interfering in the Qemu's signal mask. According to some
> previous discussions, perhaps patch all external libraries that mass up
> with this mask (spice, for example) is a way to solve it. But not sure
> if it worth the time spent. Would like to hear you guys.
I think patching all the libraries is a losing battle, I think we need to
pursue alternate debugging techniques.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2013-04-26 21:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-26 18:39 [Qemu-devel] [RFC] Continuous work on sandboxing Eduardo Otubo
2013-04-26 21:07 ` Paul Moore [this message]
2013-04-26 22:17 ` Paolo Bonzini
2013-04-29 19:57 ` Eduardo Otubo
2013-04-29 21:06 ` Paolo Bonzini
2013-04-29 18:39 ` Eduardo Otubo
2013-04-29 19:24 ` Paul Moore
2013-04-29 22:02 ` Corey Bryant
2013-04-30 18:47 ` Eduardo Otubo
2013-04-30 20:28 ` Corey Bryant
2013-05-01 14:13 ` Paul Moore
2013-05-01 15:30 ` Corey Bryant
2013-04-29 21:52 ` Corey Bryant
2013-04-30 15:24 ` Paul Moore
2013-05-01 17:25 ` Eduardo Otubo
2013-05-01 18:04 ` Corey Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7515044.dYPbKXmJQB@sifl \
--to=pmoore@redhat.com \
--cc=eparis@redhat.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).