From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:46574) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ShpbO-0006NJ-OX for qemu-devel@nongnu.org; Thu, 21 Jun 2012 18:11:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ShpbM-0003ry-Oc for qemu-devel@nongnu.org; Thu, 21 Jun 2012 18:11:46 -0400 Received: from e24smtp02.br.ibm.com ([32.104.18.86]:42096) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ShpbM-0003rH-Cm for qemu-devel@nongnu.org; Thu, 21 Jun 2012 18:11:44 -0400 Received: from /spool/local by e24smtp02.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 21 Jun 2012 19:11:39 -0300 Received: from d24relay03.br.ibm.com (d24relay03.br.ibm.com [9.13.184.25]) by d24dlp02.br.ibm.com (Postfix) with ESMTP id 9D8211DC004E for ; Thu, 21 Jun 2012 18:11:24 -0400 (EDT) Received: from d24av04.br.ibm.com (d24av04.br.ibm.com [9.8.31.97]) by d24relay03.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q5LMAlhF22413382 for ; Thu, 21 Jun 2012 19:10:47 -0300 Received: from d24av04.br.ibm.com (loopback [127.0.0.1]) by d24av04.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q5LKBCGT004752 for ; Thu, 21 Jun 2012 17:11:12 -0300 From: Eduardo Otubo Date: Thu, 21 Jun 2012 19:10:36 -0300 Message-Id: Subject: [Qemu-devel] [PATCH 0/2] Sandboxing Qemu guests with Libseccomp List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Eduardo Otubo Hello all, This is the third effort to sandbox Qemu guests using Libseccomp[0]. The patches that follows are pretty simple and straightforward. I added the correct options and checks to the configure script and the basic calls to libseccomp in the main loop at vl.c. Details of each one are in the emails of the patch set. v2: The code now is separated in the files qemu-seccomp.c and qemu-seccomp.h for a cleaner implementation. This support limits the system call footprint of the entire QEMU process to a limited set of syscalls, those that we know QEMU uses. The idea is to limit the allowable syscalls, therefore limiting the impact that an attacked guest could have on the host system. It's important to note that the libseccomp itself needs the seccomp mode 2 feature in the kernel, which is pretty close to get to the mainline since it's already been accepted to the linux-next branch[1]. v2: I also tested with the 3.5-rc1 kernel, which is the one with seccomp mode 2 support. Everything went fine. v3: As we discussed in previous emails in this very mailing list, this feature is not supposed to replace existing security feature, but add another layer to the whole. The whitelist should contain all the syscalls QEMU needs, so its execution won't be affected, just safer. And as stated by Will Drewry's commit message[1]: "Filter programs will be inherited across fork/clone and execve.", the same white list should be passed along from the father process to the child, then execve() shouldn't be a problem. As always, comments are more than welcome. Regards, [0] - Now you don't need to git clone anymore, you can download the first release - http://sourceforge.net/projects/libseccomp/ [1] - http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=commit;h=e2cfabdfd075648216f99c2c03821cf3f47c1727 Eduardo Otubo (2): Adding support for libseccomp in configure and Makefile Creating qemu-seccomp.[ch] and adding call to vl.c Makefile.objs | 4 +++ configure | 23 +++++++++++++++ qemu-seccomp.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ qemu-seccomp.h | 23 +++++++++++++++ vl.c | 11 +++++++ 5 files changed, 149 insertions(+) create mode 100644 qemu-seccomp.c create mode 100644 qemu-seccomp.h -- 1.7.9.5