qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all t


From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads
Date: Wed, 22 Aug 2018 11:07:24 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 08/22/2018 10:58 AM, Marc-André Lureau wrote:

At this point you might as well not bother using seccomp at all. The
thread that is confined merely needs to scribble something into the
stack of the unconfined thread and now it can do whatever it wants.

Actually, that message is incorrect, it should rather be "not all
threads will be filtered" (as described in commit message).

IMHO we need to find a way to get the policy to apply to those other
threads.

That's what the patch is about ;)

In other words, this patch is patching the gaping security hole that already exists, but...

+++ b/qemu-options.hx
@@ -3864,6 +3864,8 @@ Disable set*uid|gid system calls
  Disable *fork and execve
  @item address@hidden
  Disable process affinity and schedular priority
address@hidden address@hidden
+Apply seccomp filter to all threads (default is auto, and will warn if fail)

IMHO this should never exist, as setting "tsync" to anything other
than "yes", is akin to just running without any sandbox.

Then we should just fail -sandbox on those systems.

...leaving the backdoor open. Yes, we should instead fix things to hard fail when -sandbox cannot fully protect the process, rather than adding a tsync=off backdoor to permit execution in spite of the insecurity.

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org



reply via email to

[Prev in Thread] Current Thread [Next in Thread]