From: Anthony Liguori <anthony@codemonkey.ws>
To: Eduardo Otubo <otubo@linux.vnet.ibm.com>, qemu-devel@nongnu.org
Cc: pmoore@redhat.com, coreyb@linux.vnet.ibm.com
Subject: Re: [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult
Date: Tue, 27 Nov 2012 13:01:54 -0600 [thread overview]
Message-ID: <87obii6fa5.fsf@codemonkey.ws> (raw)
In-Reply-To: <1352749698-1219-2-git-send-email-otubo@linux.vnet.ibm.com>
Eduardo Otubo <otubo@linux.vnet.ibm.com> writes:
> Now the seccomp filter will be set to "on" even if no argument
> "-sandbox" is given.
>
> v3: * Introduced seccomp_states enum and new functions named
> seccomp_set_state() and seccomp_get_state()
> (pbonzini@redhat.com).
> * Merged seccomp_start() and install_seccomp_filter(),
> moved install_seccomp_filter() to qemu-seccomp.c,
> and renamed it.
> * Moved CONFIG_SECCOMP pre-processor checks from Makefile.objs
> to qemu-seccomp.c.
> * Replace qerror_report with fprintf(stderr, "..") in main()
> (lcapitulino@redhat.com).
There's no way this can go for 1.3. Can we just do 1/5 to fix the
libvirt problem for 1.3, and leave the rest for 1.4?
Regards,
Anthony Liguori
>
> Note: This support requires libseccomp. If you don't have access
> to libseccomp packages, you can manually build with the following
> steps:
>
> 1) git clone git://git.code.sf.net/p/libseccomp/libseccomp
> 2) cd libseccomp
> 3) ./configure
> 4) make
> 5) make install
> 6) export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/"
>
> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
> ---
> Makefile.objs | 2 --
> configure | 2 +-
> qemu-seccomp.c | 26 ++++++++++++++++++++++++--
> qemu-seccomp.h | 13 +++++++++++--
> vl.c | 31 ++++++++++++++++---------------
> 5 files changed, 52 insertions(+), 22 deletions(-)
>
> diff --git a/Makefile.objs b/Makefile.objs
> index 593a592..682b1e6 100644
> --- a/Makefile.objs
> +++ b/Makefile.objs
> @@ -103,9 +103,7 @@ common-obj-$(CONFIG_SLIRP) += slirp/
>
> ######################################################################
> # libseccomp
> -ifeq ($(CONFIG_SECCOMP),y)
> common-obj-y += qemu-seccomp.o
> -endif
>
> ######################################################################
> # libuser
> diff --git a/configure b/configure
> index 7290f50..d28f8d5 100755
> --- a/configure
> +++ b/configure
> @@ -221,7 +221,7 @@ guest_agent="yes"
> want_tools="yes"
> libiscsi=""
> coroutine=""
> -seccomp=""
> +seccomp="yes"
> glusterfs=""
>
> # parse CC options first
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index b06a2c6..2386996 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -12,10 +12,28 @@
> * Contributions after 2012-01-13 are licensed under the terms of the
> * GNU GPL, version 2 or (at your option) any later version.
> */
> +#include "config-host.h"
> #include <stdio.h>
> -#include <seccomp.h>
> +#include "osdep.h"
> #include "qemu-seccomp.h"
>
> +#ifdef CONFIG_SECCOMP
> +int seccomp_state = SECCOMP_ON;
> +#else
> +int seccomp_state = SECCOMP_OFF;
> +#endif
> +
> +void seccomp_set_state(int state)
> +{
> + seccomp_state = state;
> +}
> +
> +int seccomp_get_state(void)
> +{
> + return seccomp_state;
> +}
> +
> +#ifdef CONFIG_SECCOMP
> struct QemuSeccompSyscall {
> int32_t num;
> uint8_t priority;
> @@ -223,15 +241,18 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(prlimit64), 241 },
> { SCMP_SYS(waitid), 241 }
> };
> +#endif
>
> -int seccomp_start(void)
> +int seccomp_install_filter(void)
> {
> int rc = 0;
> +#ifdef CONFIG_SECCOMP
> unsigned int i = 0;
> scmp_filter_ctx ctx;
>
> ctx = seccomp_init(SCMP_ACT_KILL);
> if (ctx == NULL) {
> + rc = -1;
> goto seccomp_return;
> }
>
> @@ -251,5 +272,6 @@ int seccomp_start(void)
>
> seccomp_return:
> seccomp_release(ctx);
> +#endif
> return rc;
> }
> diff --git a/qemu-seccomp.h b/qemu-seccomp.h
> index b2fc3f8..fa26d70 100644
> --- a/qemu-seccomp.h
> +++ b/qemu-seccomp.h
> @@ -15,8 +15,17 @@
> #ifndef QEMU_SECCOMP_H
> #define QEMU_SECCOMP_H
>
> +#ifdef CONFIG_SECCOMP
> #include <seccomp.h>
> -#include "osdep.h"
> +#endif
> +
> +enum seccomp_states {
> + SECCOMP_OFF,
> + SECCOMP_ON
> +};
> +
> +void seccomp_set_state(int);
> +int seccomp_get_state(void);
> +int seccomp_install_filter(void);
>
> -int seccomp_start(void);
> #endif
> diff --git a/vl.c b/vl.c
> index 4f03a72..cb3d85e 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -64,9 +64,7 @@
> #include <linux/parport.h>
> #endif
>
> -#ifdef CONFIG_SECCOMP
> #include "qemu-seccomp.h"
> -#endif
>
> #ifdef __sun__
> #include <sys/stat.h>
> @@ -772,22 +770,17 @@ static int bt_parse(const char *opt)
>
> static int parse_sandbox(QemuOpts *opts, void *opaque)
> {
> - /* FIXME: change this to true for 1.3 */
> - if (qemu_opt_get_bool(opts, "enable", false)) {
> #ifdef CONFIG_SECCOMP
> - if (seccomp_start() < 0) {
> - qerror_report(ERROR_CLASS_GENERIC_ERROR,
> - "failed to install seccomp syscall filter in the kernel");
> - return -1;
> - }
> -#else
> - qerror_report(ERROR_CLASS_GENERIC_ERROR,
> - "sandboxing request but seccomp is not compiled into this build");
> - return -1;
> -#endif
> + /* seccomp sandboxing is on by default */
> + if (!qemu_opt_get_bool(opts, "enable", true)) {
> + seccomp_set_state(SECCOMP_OFF);
> }
> -
> return 0;
> +#else
> + fprintf(stderr, "sandbox option specified but seccomp is not compiled "
> + "into this build\n");
> + return -1;
> +#endif
> }
>
> /*********QEMU USB setting******/
> @@ -3489,6 +3482,14 @@ int main(int argc, char **argv, char **envp)
> exit(1);
> }
>
> + if (seccomp_get_state() == SECCOMP_ON) {
> + if (seccomp_install_filter() < 0) {
> + fprintf(stderr, "failed to install seccomp syscall "
> + "initialization filter\n");
> + exit(1);
> + }
> + }
> +
> #ifndef _WIN32
> if (qemu_opts_foreach(qemu_find_opts("add-fd"), parse_add_fd, NULL, 1)) {
> exit(1);
> --
> 1.7.10.4
next prev parent reply other threads:[~2012-11-27 19:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-12 19:48 [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult Eduardo Otubo
2012-11-21 15:20 ` Andreas Färber
2012-11-27 19:01 ` Anthony Liguori [this message]
2012-11-27 19:07 ` Corey Bryant
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 3/5] net: Disallow device hotplug that causes execve() Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 4/5] seccomp: double whitelist support Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 5/5] seccomp: adding debug mode Eduardo Otubo
2012-11-21 13:20 ` [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
2012-11-21 15:24 ` Paul Moore
2012-11-26 16:41 ` Corey Bryant
2012-11-26 17:08 ` Paul Moore
2012-11-26 19:59 ` Corey Bryant
2012-11-26 20:41 ` Paul Moore
2012-11-26 21:48 ` Paul Moore
2012-11-27 16:11 ` Corey Bryant
2012-11-27 16:15 ` Paul Moore
2012-11-21 15:30 ` Andreas Färber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87obii6fa5.fsf@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=coreyb@linux.vnet.ibm.com \
--cc=otubo@linux.vnet.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).