[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges argument t
|
From: |
Daniel P. Berrange |
|
Subject: |
Re: [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges argument to command line |
|
Date: |
Thu, 7 Sep 2017 10:58:51 +0100 |
|
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Fri, Sep 01, 2017 at 12:58:15PM +0200, Eduardo Otubo wrote:
> This patch introduces the new argument
> [,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows
> or denies Qemu process to elevate its privileges by blacklisting all
> set*uid|gid system calls. The 'children' option will let forks and
> execves run unprivileged.
>
> Signed-off-by: Eduardo Otubo <address@hidden>
> ---
> include/sysemu/seccomp.h | 1 +
> qemu-options.hx | 12 +++++++++---
> qemu-seccomp.c | 29 ++++++++++++++++++-----------
> vl.c | 27 +++++++++++++++++++++++++++
> 4 files changed, 55 insertions(+), 14 deletions(-)
> diff --git a/vl.c b/vl.c
> index ca267f9918..1d44b05772 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -29,6 +29,7 @@
>
> #ifdef CONFIG_SECCOMP
> #include "sysemu/seccomp.h"
> +#include "sys/prctl.h"
> #endif
>
> #if defined(CONFIG_VDE)
> @@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts = {
> .name = "obsolete",
> .type = QEMU_OPT_STRING,
> },
> + {
> + .name = "elevateprivileges",
> + .type = QEMU_OPT_STRING,
> + },
> { /* end of list */ }
> },
> };
> @@ -1052,6 +1057,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opts,
> Error **errp)
> }
> }
>
> + value = qemu_opt_get(opts, "elevateprivileges");
> + if (value) {
> + if (strcmp(value, "deny") == 0) {
> + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
> + } else if (strcmp(value, "children") == 0) {
> + seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
> +
> + /* calling prctl directly because we're
> + * not sure if host has CAP_SYS_ADMIN set*/
> + if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {
> + error_report("failed to set no_new_privs "
> + "aborting");
> + return -1;
> + }
> + } else if (strcmp(value, "allow") == 0) {
> + /* default value */
Again slight preference for g_str_equal() in all these checks.
> + } else {
> + error_report("invalid argument for elevateprivileges");
> + return -1;
> + }
> + }
> +
> if (seccomp_start(seccomp_opts) < 0) {
> error_report("failed to install seccomp syscall filter "
> "in the kernel");
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring, Eduardo Otubo, 2017/09/01
- [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol argument to command line, Eduardo Otubo, 2017/09/01
- [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn argument to command line, Eduardo Otubo, 2017/09/01
- [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model, Eduardo Otubo, 2017/09/01
- Re: [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring, no-reply, 2017/09/01