Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the secc

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the secc

From:	Daniel P. Berrange
Subject:	Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox
Date:	Fri, 2 Oct 2015 15:15:05 +0100
User-agent:	Mutt/1.5.23 (2014-03-12)

On Fri, Oct 02, 2015 at 04:08:20PM +0200, Eduardo Otubo wrote:
> On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote:
> > "Daniel P. Berrange" <address@hidden> writes:
> > 
> > > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote:
> > >> "Namsun Ch'o" <address@hidden> writes:
> > >> 
> > >> > The seccomp sandbox doesn't whitelist setuid, setgid, or
> > >> > setgroups, which are
> > >> > needed for -runas to work. It also doesn't whitelist chroot, which is 
> > >> > needed
> > >> > for the -chroot option. Unfortunately, QEMU enables seccomp before it 
> > >> > drops
> > >> > privileges or chroots, so without these whitelisted, -runas and
> > >> > -chroot cause
> > >> > QEMU to be killed with -sandbox on. This patch adds those syscalls.
> > >> 
> > >> Should it enable seccomp a bit later?
> > >
> > > Yeah, I think it would be better to move the seccomp enablement later.
> > 
> > Let's do that then.
> 
> Where exactly you guys think we could call seccomp enablement? Right
> it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I
> guess it is as later as it could.

It depends on what you consider seccomp to be protecting against. I think
its primary goal is to protect against exploit after a guest OS breakout,
in which case it does not need to be enabled until the guest CPUs start
executing, which IIUC, means immediately before main_loop().

If we intend seccomp to protect against flaws during QEMU setup, then having
it earlier is neccessary. eg QEMU opening a corrupt qcow2 image which might
exploit QEMU before the guest CPUs start.

If the latter is the case, then we could start with a relaxed seccomp
sandbox which included the setuid/chroot features, and then switch to a
more restricted one which blocked them before main_loop() runs.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Namsun Ch'o, 2015/10/08
- Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Markus Armbruster, 2015/10/08
  - Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Daniel P. Berrange, 2015/10/08
    - Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Markus Armbruster, 2015/10/08
    - Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Eduardo Otubo, 2015/10/08
    - Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Daniel P. Berrange <=
    - Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Eduardo Otubo, 2015/10/08
- Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Eduardo Otubo, 2015/10/09

Prev by Date: Re: [Qemu-devel] [PATCH v7 03/24] util: add linux-only memfd fallback
Next by Date: Re: [Qemu-devel] [PULL 04/15] oslib: rework anonimous RAM allocation
Previous by thread: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox
Next by thread: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox
Index(es):
- Date
- Thread