From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp
Date: Thu, 21 Jun 2012 19:10:36 -0300 [thread overview]
Message-ID: <cover.1340315275.git.otubo@linux.vnet.ibm.com> (raw)
Hello all,
This is the third effort to sandbox Qemu guests using Libseccomp[0]. The
patches that follows are pretty simple and straightforward. I added the correct
options and checks to the configure script and the basic calls to libseccomp in
the main loop at vl.c. Details of each one are in the emails of the patch set.
v2: The code now is separated in the files qemu-seccomp.c and qemu-seccomp.h
for a cleaner implementation.
This support limits the system call footprint of the entire QEMU process to a
limited set of syscalls, those that we know QEMU uses. The idea is to limit
the allowable syscalls, therefore limiting the impact that an attacked guest
could have on the host system.
It's important to note that the libseccomp itself needs the seccomp mode 2
feature in the kernel, which is pretty close to get to the mainline since it's
already been accepted to the linux-next branch[1].
v2: I also tested with the 3.5-rc1 kernel, which is the one with seccomp mode 2
support. Everything went fine.
v3: As we discussed in previous emails in this very mailing list, this feature
is not supposed to replace existing security feature, but add another layer to
the whole. The whitelist should contain all the syscalls QEMU needs, so its
execution won't be affected, just safer. And as stated by Will Drewry's commit
message[1]: "Filter programs will be inherited across fork/clone and execve.",
the same white list should be passed along from the father process to the
child, then execve() shouldn't be a problem.
As always, comments are more than welcome.
Regards,
[0] - Now you don't need to git clone anymore, you can download the first
release - http://sourceforge.net/projects/libseccomp/
[1] - http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=commit;h=e2cfabdfd075648216f99c2c03821cf3f47c1727
Eduardo Otubo (2):
Adding support for libseccomp in configure and Makefile
Creating qemu-seccomp.[ch] and adding call to vl.c
Makefile.objs | 4 +++
configure | 23 +++++++++++++++
qemu-seccomp.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
qemu-seccomp.h | 23 +++++++++++++++
vl.c | 11 +++++++
5 files changed, 149 insertions(+)
create mode 100644 qemu-seccomp.c
create mode 100644 qemu-seccomp.h
--
1.7.9.5
next reply other threads:[~2012-06-21 22:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-21 22:10 Eduardo Otubo [this message]
2012-06-21 22:10 ` [Qemu-devel] [PATCH 1/2] Adding support for libseccomp in configure and Makefile Eduardo Otubo
2012-06-21 22:10 ` [Qemu-devel] [PATCH 2/2] Creating qemu-seccomp.[ch] and adding call to vl.c Eduardo Otubo
2012-06-22 8:29 ` Stefan Hajnoczi
2012-06-24 6:08 ` Blue Swirl
2012-06-22 12:17 ` [Qemu-devel] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp Eduardo Otubo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1340315275.git.otubo@linux.vnet.ibm.com \
--to=otubo@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).