Re: [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox

["Namsun Ch'o" <namnamc@Safe-mail.net>]

> I've suggested this in the past but to my knowledge no has done any work in
> this direction, including myself. Despite the lack of progress, I still
> think this is a very worthwhile idea.

Which is exactly why I think a configuration file would be the best option
instead of --enable-syscalls=foo,bar,baz. It would allow someone to easily
customize their policy without needing to create a patch, or wait on QEMU
developers to do work on it. The configuration file could be as simple as:

    shmctl arg0 eq IPC_PRIVATE and arg2 eq IPC_CREAT|0777 or IPC_CREAT|0600
    close  arg0 le 13 and arg0 ge 4
    ioctl  arg1 ne EVIL_IOCTL or ANOTHER_EVIL_ONE or MORE_EVIL_IOCTLS

Or something like:

    [shmctl]
    A0 EQ "IPC_PRIVATE"
    A2 EQ "IPC_CREAT|0777", "IPC_CREAT|0600"

    [close]
    A0 LE 13
    A0 GE 4

    [ioctl]
    A1 NE "EVIL_IOCTL", "ANOTHER_EVIL_ONE", "MORE_EVIL_IOCTLS"

And that would be the equivalent of hardcoding the following in the sandbox
file. Honestly, I think that the worry that admins will shoot themselves in
the foot is unfounded. Unless they know at least basic strace, QEMU will
simply get killed. That is of course if it is made such that it can only be
used to increase the strictness of already existing filtered syscalls, not
reduce the security by adding new syscalls to the argument-less whitelist.

    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2,
        SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE),
        SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0777));

    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2,
        SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE),
        SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0600));

    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 1,
        SCMP_A0(SCMP_CMP_LE, 13),
        SCMP_A0(SCMP_CMP_GE, 4));

    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
        SCMP_A1(SCMP_CMP_NE, EVIL_IOCTL),
        SCMP_A1(SCMP_CMP_NE, ANOTHER_EVIL_ONE),
        SCMP_A1(SCMP_CMP_NE, MORE_EVIL_IOCTLS));

I think the best part of that would be that it would be much easier for the
common VM setups to have pre-made policies, so users could include
"filesystem_access.scmp" and "remote_vnc.scmp" and "usermode_network.scmp"
inside /etc/qemu/seccomp.d for a system where they will be using QEMU with
usermode networking, remote VNC, and mounting a shared directory. That would
be significantly easier to distribute and update than it would be to create
new hardcoded code in qemu-seccomp.c.

If I find time to make a patch which would do this, would it be likely
accepted or is there a policy against such a thing?