From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35874)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <namnamc@Safe-mail.net>) id 1ZjEi5-0007Ev-Os
	for qemu-devel@nongnu.org; Mon, 05 Oct 2015 18:58:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <namnamc@Safe-mail.net>) id 1ZjEi0-0005j4-M6
	for qemu-devel@nongnu.org; Mon, 05 Oct 2015 18:58:21 -0400
Received: from www.safe-mail.net ([212.29.227.230]:58530
	helo=tapuz.safe-mail.net) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <namnamc@Safe-mail.net>) id 1ZjEi0-0005iR-EC
	for qemu-devel@nongnu.org; Mon, 05 Oct 2015 18:58:16 -0400
Date: Mon, 5 Oct 2015 18:58:12 -0400
From: "Namsun Ch'o" <namnamc@Safe-mail.net>
Message-Id: <N1-kI2elh--YL@Safe-mail.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot tothe
	seccomp sandbox
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: armbru@redhat.com
Cc: qemu-devel@nongnu.org, eduardo.otubo@profitbricks.com

> Drawback: complexity.  If we decide to limit ourselves to the original
> threat model (rogue guest), and enter the sandbox only after setup, we
> can keep things simpler.

We could do both without much complexity. This looks simple enough to me:

  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chroot), 1,
        SCMP_A0(SCMP_CMP_EQ, chroot_dir));
  if (rc < 0)
        goto seccomp_return;

  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 1,
        SCMP_A0(SCMP_CMP_EQ, "/"));
  if (rc < 0)
        goto seccomp_return;

The only time chroot_dir is ever used is in os-posix.c:139:

  if (chroot(chroot_dir) < 0) {