[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all t
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads |
|
Date: |
Wed, 22 Aug 2018 17:43:36 +0100 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Wed, Aug 22, 2018 at 06:19:16PM +0200, Marc-André Lureau wrote:
> Hi
>
> On Wed, Aug 22, 2018 at 6:07 PM, Eric Blake <address@hidden> wrote:
> > On 08/22/2018 10:58 AM, Marc-André Lureau wrote:
> >
> >>> At this point you might as well not bother using seccomp at all. The
> >>> thread that is confined merely needs to scribble something into the
> >>> stack of the unconfined thread and now it can do whatever it wants.
> >>
> >>
> >> Actually, that message is incorrect, it should rather be "not all
> >> threads will be filtered" (as described in commit message).
> >>
> >>> IMHO we need to find a way to get the policy to apply to those other
> >>> threads.
> >>
> >>
> >> That's what the patch is about ;)
> >
> >
> > In other words, this patch is patching the gaping security hole that already
> > exists, but...
> >
> >>>> +++ b/qemu-options.hx
> >>>> @@ -3864,6 +3864,8 @@ Disable set*uid|gid system calls
> >>>> Disable *fork and execve
> >>>> @item address@hidden
> >>>> Disable process affinity and schedular priority
> >>>> address@hidden address@hidden
> >>>> +Apply seccomp filter to all threads (default is auto, and will warn if
> >>>> fail)
> >>>
> >>>
> >>> IMHO this should never exist, as setting "tsync" to anything other
> >>> than "yes", is akin to just running without any sandbox.
> >>
> >>
> >> Then we should just fail -sandbox on those systems.
> >
> >
> > ...leaving the backdoor open. Yes, we should instead fix things to hard
> > fail when -sandbox cannot fully protect the process, rather than adding a
> > tsync=off backdoor to permit execution in spite of the insecurity.
>
> Ok, -sandbox will now require libseccomp 2.2.0 (not available in
> Debian oldstable - so it will fail at configure time) and kernel >=
> 3.17 (error during start). If that sounds ok, I'll update the series.
Hmm, that will cause seccomp to be unusable for RHEL-7, prior to
the 7.5 kernel, which has complications wrt libvirt using -sandbox
by default.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, (continued)
- [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Marc-André Lureau, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Daniel P . Berrangé, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Marc-André Lureau, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Daniel P . Berrangé, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Marc-André Lureau, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Marc-André Lureau, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Daniel P . Berrangé, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Daniel P . Berrangé, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Eric Blake, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Marc-André Lureau, 2018/08/22
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads,
Daniel P . Berrangé <=
- Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, Daniel P . Berrangé, 2018/08/22
Re: [Qemu-devel] [PATCH v3 0/3] seccomp fixes, Eduardo Otubo, 2018/08/22