From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:52241)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Swf0k-0001Os-Bv
	for qemu-devel@nongnu.org; Wed, 01 Aug 2012 15:55:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Swf0g-0007aY-5E
	for qemu-devel@nongnu.org; Wed, 01 Aug 2012 15:55:14 -0400
Received: from e24smtp04.br.ibm.com ([32.104.18.25]:41013)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1Swf0f-0007Y9-Pc
	for qemu-devel@nongnu.org; Wed, 01 Aug 2012 15:55:10 -0400
Received: from /spool/local
	by e24smtp04.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <otubo@linux.vnet.ibm.com>;
	Wed, 1 Aug 2012 16:55:06 -0300
Received: from d24relay02.br.ibm.com (d24relay02.br.ibm.com [9.13.184.26])
	by d24dlp01.br.ibm.com (Postfix) with ESMTP id EC7323520052
	for <qemu-devel@nongnu.org>; Wed,  1 Aug 2012 15:54:59 -0400 (EDT)
Received: from d24av05.br.ibm.com (d24av05.br.ibm.com [9.18.232.44])
	by d24relay02.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q71JsB7F35455046
	for <qemu-devel@nongnu.org>; Wed, 1 Aug 2012 16:54:12 -0300
Received: from d24av05.br.ibm.com (loopback [127.0.0.1])
	by d24av05.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q71Jt1CC001071
	for <qemu-devel@nongnu.org>; Wed, 1 Aug 2012 16:55:02 -0300
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Date: Wed,  1 Aug 2012 16:54:51 -0300
Message-Id: <cover.1343849830.git.otubo@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCHv5 0/4] Sandboxing Qemu guests with Libseccomp
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: blauwirbel@gmail.com, pmoore@redhat.com, anthony@codemonkey.ws, wad@chromium.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>

Hello all,

This patch is an effort to sandbox Qemu guests using Libseccomp[0]. The patches
that follows are pretty simple and straightforward. I added the correct options
and checks to the configure script and the basic calls to libseccomp in the
main loop at vl.c. Details of each one are in the emails of the patch set.

This support limits the system call footprint of the entire QEMU process to a
limited set of syscalls, those that we know QEMU uses. The idea is to limit the
allowable syscalls, therefore limiting the impact that an attacked guest could
have on the host system.

It's important to note that the libseccomp itself needs the seccomp mode 2
feature in the kernel, which is only available in kernel versions older (or
equal) than 3.5-rc1.

v2: Files separated in qemu-seccomp.c and qemu-seccomp.h for a cleaner
    implementation. The development was tested with the 3.5-rc1 kernel.

v3: As we discussed in previous emails in this mailing list, this feature is
    not supposed to replace existing security feature, but add another layer to
    the whole. The whitelist should contain all the syscalls QEMU needs. And as
    stated by Will Drewry's commit message[1]: "Filter programs will be inherited
    across fork/clone and execve.", the same white list should be passed along from
    the father process to the child, then execve() shouldn't be a problem. Note
    that there's a feature PR_SET_NO_NEW_PRIVS in seccomp mode 2 in the kernel,
    this prevents processes from gaining privileges on execve. For example, this
    will prevent qemu (if running unprivileged) from executing setuid programs[2].

v4: Introducing "debug" mode on libseccomp support. The "debug" mode will set
    the flag SCMP_ACT_TRAP when calling seccomp_start(). It will verbosely
    print a message to the stderr in the form "seccomp: illegal system call
    execution trapped: XXX" and resume the execution. This is really just used as
    debug mode, it helps users and developers to full fill the whitelist.

v5: Libseccomp release 1.0.0[3]: The API now is context aware and it breaks the
    compatibility with older versions. I updated all the functions that differs
    from one version to another.

As always, comments are more than welcome.

Regards,

[0] - http://sourceforge.net/projects/libseccomp/
[1] - http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=commit;h=e2cfabdfd075648216f99c2c03821cf3f47c1727
[2] - https://lkml.org/lkml/2012/4/12/457
[3] - http://sourceforge.net/mailarchive/forum.php?thread_name=1633205.5jr3eG7nQ5%40sifl&forum_name=libseccomp-discuss


Eduardo Otubo (4):
  Adding support for libseccomp in configure and Makefile
  Adding qemu-seccomp.[ch]
  Adding qemu-seccomp-debug.[ch]
  Adding seccomp calls to vl.c

 Makefile.objs        |   10 ++++
 configure            |   34 ++++++++++++
 qemu-seccomp-debug.c |   95 ++++++++++++++++++++++++++++++++++
 qemu-seccomp-debug.h |   38 ++++++++++++++
 qemu-seccomp.c       |  139 ++++++++++++++++++++++++++++++++++++++++++++++++++
 qemu-seccomp.h       |   22 ++++++++
 vl.c                 |   31 +++++++++++
 7 files changed, 369 insertions(+), 0 deletions(-)
 create mode 100644 qemu-seccomp-debug.c
 create mode 100644 qemu-seccomp-debug.h
 create mode 100644 qemu-seccomp.c
 create mode 100644 qemu-seccomp.h