From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:39894) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Set7c-0002EA-Aa for qemu-devel@nongnu.org; Wed, 13 Jun 2012 15:20:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Set7Y-0007hs-RI for qemu-devel@nongnu.org; Wed, 13 Jun 2012 15:20:51 -0400 Received: from e24smtp05.br.ibm.com ([32.104.18.26]:46035) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Set7X-0007gd-Fn for qemu-devel@nongnu.org; Wed, 13 Jun 2012 15:20:48 -0400 Received: from /spool/local by e24smtp05.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 13 Jun 2012 16:20:41 -0300 Received: from d24relay01.br.ibm.com (d24relay01.br.ibm.com [9.8.31.16]) by d24dlp02.br.ibm.com (Postfix) with ESMTP id F3DC81DC0057 for ; Wed, 13 Jun 2012 15:20:38 -0400 (EDT) Received: from d24av01.br.ibm.com (d24av01.br.ibm.com [9.8.31.91]) by d24relay01.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q5DJI43e2154594 for ; Wed, 13 Jun 2012 16:18:05 -0300 Received: from d24av01.br.ibm.com (loopback [127.0.0.1]) by d24av01.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q5DHKVmg005116 for ; Wed, 13 Jun 2012 14:20:31 -0300 From: Eduardo Otubo Date: Wed, 13 Jun 2012 16:20:20 -0300 Message-Id: Subject: [Qemu-devel] [RFC] [PATCHv2 0/2] Sandboxing Qemu guests with Libseccomp List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Eduardo Otubo Hello all, This is the second effort to sandbox Qemu guests using Libseccomp[0]. The patches that follows are pretty simple and straightforward. I added the correct options and checks to the configure script and the basic calls to libseccomp in the main loop at vl.c. Details of each one are in the emails of the patch set. v2: The code now is separated in the files qemu-seccomp.c and qemu-seccomp.h for a cleaner implementation. This support limits the system call footprint of the entire QEMU process to a limited set of syscalls, those that we know QEMU uses. The idea is to limit the allowable syscalls, therefore limiting the impact that an attacked guest could have on the host system. It's important to note that the libseccomp itself needs the seccomp mode 2 feature in the kernel, which is pretty close to get to the mainline since it's already been accepted to the linux-next branch[1]. v2: I also tested with the 3.5-rc1 kernel, which is the one with seccomp mode 2 support. Everything went fine. As always, comments are more than welcome. Regards, [0] - http://sourceforge.net/projects/libseccomp/ [1] - http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=commit;h=e2cfabdfd075648216f99c2c03821cf3f47c1727 Eduardo Otubo (2): Adding support for libseccomp in configure Adding basic calls to libseccomp in vl.c configure | 25 +++++++++++++++++++ qemu-seccomp.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ qemu-seccomp.h | 9 +++++++ vl.c | 7 ++++++ 4 files changed, 114 insertions(+) create mode 100644 qemu-seccomp.c create mode 100644 qemu-seccomp.h -- 1.7.9.5