[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 04/05] seccomp: add setuid, setgid, chroot and setgro
From: |
Eduardo Otubo |
Subject: |
[Qemu-devel] [PULL 04/05] seccomp: add setuid, setgid, chroot and setgroups to whitelist |
Date: |
Fri, 30 Oct 2015 14:44:49 +0100 |
From: Namsun Ch'o <address@hidden>
The seccomp sandbox doesn't whitelist setuid, setgid, or setgroups, which are
needed for -runas to work. It also doesn't whitelist chroot, which is needed
for the -chroot option. Unfortunately, QEMU enables seccomp before it drops
privileges or chroots, so without these whitelisted, -runas and -chroot cause
QEMU to be killed with -sandbox on. This patch adds those syscalls.
Signed-off-by: Namsun Ch'o <address@hidden>
Acked-by: Eduardo Otubo <address@hidden>
---
qemu-seccomp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index e7a54e8..877fd88 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -238,6 +238,10 @@ static const struct QemuSeccompSyscall seccomp_whitelist[]
= {
{ SCMP_SYS(inotify_add_watch), 240 },
{ SCMP_SYS(mbind), 240 },
{ SCMP_SYS(cacheflush), 240 },
+ { SCMP_SYS(setuid), 240 },
+ { SCMP_SYS(setgid), 240 },
+ { SCMP_SYS(chroot), 240 },
+ { SCMP_SYS(setgroups), 240 },
};
int seccomp_start(void)
--
2.1.4
- [Qemu-devel] [PULL 00/05] seccomp branch queue, Eduardo Otubo, 2015/10/30
- [Qemu-devel] [PULL 02/05] configure: arm/aarch64: allow enable-seccomp, Eduardo Otubo, 2015/10/30
- [Qemu-devel] [PULL 01/05] seccomp: add cacheflush to whitelist, Eduardo Otubo, 2015/10/30
- [Qemu-devel] [PULL 03/05] seccomp: add madvise, shmget, and shmctl to whitelist, Eduardo Otubo, 2015/10/30
- [Qemu-devel] [PULL 05/05] seccomp: loosen library version dependency, Eduardo Otubo, 2015/10/30
- [Qemu-devel] [PULL 04/05] seccomp: add setuid, setgid, chroot and setgroups to whitelist,
Eduardo Otubo <=
- Re: [Qemu-devel] [PULL 00/05] seccomp branch queue, Peter Maydell, 2015/10/30