[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 5/5] seccomp: block setns, unshare and execveat syscalls
|
From: |
Daniel P . Berrangé |
|
Subject: |
[PATCH 5/5] seccomp: block setns, unshare and execveat syscalls |
|
Date: |
Mon, 2 Aug 2021 14:03:03 +0100 |
setns/unshare are used to change namespaces which is not something QEMU
needs to be able todo.
execveat is a new variant of execve so should be blocked just like
execve already is.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
softmmu/qemu-seccomp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index a7bb5c350f..deaf8a4ef5 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -248,6 +248,11 @@ static const struct QemuSeccompSyscall denylist[] = {
{ SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN,
0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
#endif
+#ifdef __SNR_execveat
+ { SCMP_SYS(execveat), QEMU_SECCOMP_SET_SPAWN },
+#endif
+ { SCMP_SYS(setns), QEMU_SECCOMP_SET_SPAWN },
+ { SCMP_SYS(unshare), QEMU_SECCOMP_SET_SPAWN },
/* resource control */
{ SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL,
0, NULL, SCMP_ACT_ERRNO(EPERM) },
--
2.31.1
- [PATCH 0/5] seccomp: fix hole in blocking forks, Daniel P . Berrangé, 2021/08/02
- [PATCH 1/5] seccomp: allow action to be customized per syscall, Daniel P . Berrangé, 2021/08/02
- [PATCH 4/5] seccomp: block use of clone3 syscall, Daniel P . Berrangé, 2021/08/02
- [PATCH 5/5] seccomp: block setns, unshare and execveat syscalls,
Daniel P . Berrangé <=
- [PATCH 2/5] seccomp: add unit test for seccomp filtering, Daniel P . Berrangé, 2021/08/02
- [PATCH 3/5] seccomp: fix blocking of process spawning, Daniel P . Berrangé, 2021/08/02
- Re: [PATCH 0/5] seccomp: fix hole in blocking forks, Eduardo Terrell Ferrari Otubo, 2021/08/04