On Wed, Dec 7, 2011 at 11:43 AM, Anthony Liguori
<address@hidden> wrote:
I'd like to see what the whitelist would need to be for something like QEMU in mode 2. My biggest concern is that the whitelist would need to be so large that the practical security what's all that much improved.
Based on some prototyping work I've done with VMM ptrace sandboxing, I estimate a ceiling of about 50 syscalls in the whitelist. This is a reduction from over 300, and Linux syscalls that have had security vulnerabilities in the past few years were not needed. Aside from that, if we can further restrict based on syscall parameters, then we have a straightforward mechanism for locking down access to things like file system resources. For instance, a block device can be restricted to only accessing the host file(s) that back the block device.