[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox
From: |
Paul Moore |
Subject: |
Re: [Qemu-devel] [PATCH v2] Add argument filters to the seccomp sandbox |
Date: |
Mon, 28 Sep 2015 14:24:52 -0400 |
User-agent: |
KMail/4.14.10 (Linux/4.1.5-gentoo; KDE/4.14.12; x86_64; ; ) |
On Saturday, September 26, 2015 01:06:57 AM Namsun Ch'o wrote:
> > I've suggested this in the past but to my knowledge no has done any work
> > in this direction, including myself. Despite the lack of progress, I still
> > think this is a very worthwhile idea.
>
> Which is exactly why I think a configuration file would be the best option
> instead of --enable-syscalls=foo,bar,baz. It would allow someone to easily
> customize their policy without needing to create a patch, or wait on QEMU
> developers to do work on it.
To be clear, I'm not suggesting "--enable-syscalls=foo,bar,...", what I'm
suggesting is a decomposition of the current filter list into blocks of
syscalls that are needed to enable specific functionality. For example, if
you enable audio support at runtime a set of syscalls will be added to the
filter whitelist, if you enable a network device a different set of syscalls
will be added to the filter, and so on.
I think having an admin specified filter, either via a command line or
configuration file, is a step in the wrong direction.
--
paul moore
security @ redhat