Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: Eduardo Otubo <eduardo.otubo@profitbricks.com>, qemu-devel@nongnu.org
Cc: thuth@redhat.com
Subject: Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line
Date: Tue, 14 Mar 2017 12:47:10 +0100	[thread overview]
Message-ID: <e9b2bd2a-8409-7470-76bb-32f15fe6ce0e@redhat.com> (raw)
In-Reply-To: <20170314113209.12025-4-eduardo.otubo@profitbricks.com>



On 14/03/2017 12:32, Eduardo Otubo wrote:
> This patch introduces the new argument [,elevateprivileges=deny] to the
> `-sandbox on'. It avoids Qemu process to elevate its privileges by
> blacklisting all set*uid|gid system calls
> 
> Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> ---
>  include/sysemu/seccomp.h |  1 +
>  qemu-options.hx          |  8 ++++++--
>  qemu-seccomp.c           | 28 ++++++++++++++++++++++++++++
>  vl.c                     | 11 +++++++++++
>  4 files changed, 46 insertions(+), 2 deletions(-)
> 
> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
> index 7a7bde246b..e6e78d85ce 100644
> --- a/include/sysemu/seccomp.h
> +++ b/include/sysemu/seccomp.h
> @@ -16,6 +16,7 @@
>  #define QEMU_SECCOMP_H
>  
>  #define OBSOLETE    0x0001
> +#define PRIVILEGED  0x0010
>  
>  #include <seccomp.h>
>  
> diff --git a/qemu-options.hx b/qemu-options.hx
> index 1403d0c85f..47018db5aa 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -3732,8 +3732,10 @@ Old param mode (ARM only).
>  ETEXI
>  
>  DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
> -    "-sandbox on[,obsolete=allow]  Enable seccomp mode 2 system call filter (default 'off').\n" \
> -    "                              obsolete: Allow obsolete system calls",
> +    "-sandbox on[,obsolete=allow][,elevateprivileges=deny]\n" \
> +    "                               Enable seccomp mode 2 system call filter (default 'off').\n" \
> +    "                               obsolete: Allow obsolete system calls\n" \
> +    "                               elevateprivileges: avoids Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls",

Why allow these by default?

Paolo

>      QEMU_ARCH_ALL)
>  STEXI
>  @item -sandbox @var{arg}[,obsolete=@var{string}]
> @@ -3743,6 +3745,8 @@ disable it.  The default is 'off'.
>  @table @option
>  @item obsolete=@var{string}
>  Enable Obsolete system calls
> +@item elevateprivileges=@var{string}
> +Disable set*uid|gid systema calls
>  @end table
>  ETEXI
>  
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 5ef36890da..5aa6590386 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -31,6 +31,19 @@ struct QemuSeccompSyscall {
>      uint8_t priority;
>  };
>  
> +static const struct QemuSeccompSyscall privileged_syscalls[] = {
> +    { SCMP_SYS(setuid), 255 },
> +    { SCMP_SYS(setgid), 255 },
> +    { SCMP_SYS(setpgid), 255 },
> +    { SCMP_SYS(setsid), 255 },
> +    { SCMP_SYS(setreuid), 255 },
> +    { SCMP_SYS(setregid), 255 },
> +    { SCMP_SYS(setresuid), 255 },
> +    { SCMP_SYS(setresgid), 255 },
> +    { SCMP_SYS(setfsuid), 255 },
> +    { SCMP_SYS(setfsgid), 255 },
> +};
> +
>  static const struct QemuSeccompSyscall obsolete[] = {
>      { SCMP_SYS(readdir), 255 },
>      { SCMP_SYS(_sysctl), 255 },
> @@ -125,6 +138,21 @@ int seccomp_start(uint8_t seccomp_opts)
>          }
>      }
>  
> +    if (seccomp_opts & PRIVILEGED) {
> +        for (i = 0; i < ARRAY_SIZE(privileged_syscalls); i++) {
> +            rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, privileged_syscalls[i].num, 0);
> +            if (rc < 0) {
> +                goto seccomp_return;
> +            }
> +            rc = seccomp_syscall_priority(ctx, privileged_syscalls[i].num,
> +                    privileged_syscalls[i].priority);
> +            if (rc < 0) {
> +                goto seccomp_return;
> +            }
> +        }
> +    }
> +
> +
>      rc = seccomp_load(ctx);
>  
>    seccomp_return:
> diff --git a/vl.c b/vl.c
> index 7b08b3383b..d071e240b0 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -273,6 +273,10 @@ static QemuOptsList qemu_sandbox_opts = {
>              .name = "obsolete",
>              .type = QEMU_OPT_STRING,
>          },
> +        {
> +            .name = "elevateprivileges",
> +            .type = QEMU_OPT_STRING,
> +        },
>          { /* end of list */ }
>      },
>  };
> @@ -1045,6 +1049,13 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
>              }
>          }
>  
> +        value = qemu_opt_get(opts,"elevateprivileges");
> +        if (value) {
> +            if (strcmp(value, "deny") == 0) {
> +                seccomp_opts |= PRIVILEGED;
> +            }
> +        }
> +
>          if (seccomp_start(seccomp_opts) < 0) {
>              error_report("failed to install seccomp syscall filter "
>                           "in the kernel");
>

next prev parent reply	other threads:[~2017-03-14 11:47 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-14 11:32 [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 1/5] seccomp: changing from whitelist to blacklist Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 2/5] seccomp: add obsolete argument to command line Eduardo Otubo
2017-03-14 11:47   ` Paolo Bonzini
2017-03-14 12:01   ` Thomas Huth
2017-03-14 12:22     ` Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges " Eduardo Otubo
2017-03-14 11:47   ` Paolo Bonzini [this message]
2017-03-14 11:52     ` Daniel P. Berrange
2017-03-14 12:13       ` Paolo Bonzini
2017-03-14 12:24         ` Daniel P. Berrange
2017-03-14 12:42           ` Eduardo Otubo
2017-03-14 12:32         ` Eduardo Otubo
2017-03-14 12:48           ` Paolo Bonzini
2017-03-14 13:02             ` Daniel P. Berrange
2017-03-14 13:05               ` Paolo Bonzini
2017-03-14 13:19                 ` Daniel P. Berrange
2017-03-14 11:32 ` [Qemu-devel] [PATCH 4/5] seccomp: add spawn " Eduardo Otubo
2017-03-14 11:32 ` [Qemu-devel] [PATCH 5/5] seccomp: add resourcecontrol " Eduardo Otubo
2017-03-14 11:40 ` [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring no-reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e9b2bd2a-8409-7470-76bb-32f15fe6ce0e@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=eduardo.otubo@profitbricks.com \
    --cc=qemu-devel@nongnu.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).