qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Seccomp profile for swtpm as default


From: Stefan Berger
Subject: Re: [Qemu-devel] Seccomp profile for swtpm as default
Date: Thu, 14 Mar 2019 07:15:10 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1

On 3/14/19 5:59 AM, Daniel P. Berrangé wrote:
On Wed, Mar 13, 2019 at 03:43:13PM -0400, Stefan Berger wrote:
Hello!

  If you have some feedback regarding a seccomp profile extension for swtpm
for v0.2, please let me know. I created this github issue here:


https://github.com/stefanberger/swtpm/issues/115


Basically the choice is whether to make the creation of the seccomp profile
a default behavior or have the caller explicitly pass the '--seccomp
profile=default' on the command line, which then in turn would require
libvirt for example to check whether this current version of swtpm supports
the feature either by swtpm version or by strstr() the help page.
In QEMU we can't enable seccomp by default because its wide range of
features means any default profile would be effectively useless. Libvirt
knows that it uses a restricted set of QEMU features, so it can enable
a more useful seccomp by default.

I think swtpm won't have this complexity problem. Its functionality is
relatively narrow & well understood & so it is practical to define a
good seccomp profile & use that by default. So personally I'd merely
provide an opt-out to turn it off unless you think this is likely to
break something important.

Thanks. What makes me a bit hesitant now to activate it is the fact that I found several unexpected syscalls in places like openssl DRBG and glibc. The latter for example uses some #define ARCH_FORK (iirc), which was not fork or vfork but clone on F29. It will obviously break if it is something different on another machine or if it runs into branches that I haven't exercised with the limited coverage the test suite I have provides...

  Stefan



Regards,
Daniel





reply via email to

[Prev in Thread] Current Thread [Next in Thread]