qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for


From: Daniel P. Berrange
Subject: Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for blacklist
Date: Wed, 18 Sep 2013 08:38:17 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, Sep 17, 2013 at 03:17:28PM -0400, Corey Bryant wrote:
> 
> 
> On 09/17/2013 01:14 PM, Eduardo Otubo wrote:
> >
> >
> >On 09/17/2013 11:43 AM, Paul Moore wrote:
> >>On Tuesday, September 17, 2013 02:06:06 PM Daniel P. Berrange wrote:
> >>>On Tue, Sep 17, 2013 at 10:01:23AM -0300, Eduardo Otubo wrote:
> >>>
> >>>>Paul, what exactly are you planning to add to libvirt? I'm not a big
> >>>>fan of using qemu command line to pass syscalls for blacklist as
> >>>>arguments, but I can't see other way to avoid problems (like -net
> >>>>bridge / -net tap) from happening.
> >>
> >>At present, and as far as I'm concerned pretty much everything is open
> >>for
> >>discussion, the code works similar to the libvirt network filters.
> >>You create
> >>a separate XML configuration file which defines the filter and you
> >>reference
> >>that filter from the domain's XML configuration.  When a QEMU/KVM or
> >>LXC based
> >>domain starts it uses libseccomp to create the seccomp filter and then
> >>loads
> >>it into the kernel after the fork but before the domain is exec'd.
> >
> >Clever approach. I tihnk a possible way to do this is something like:
> >
> >  -sandbox
> >-on[,strict=<on|off>][,whitelist=qemu_whitelist.conf][,blacklist=qemu_blacklist.conf]
> >
> >
> >     where:
> >
> >[,whitelist=qemu_whitelist.conf] will override default whitelist filter
> >[,blacklist=blacklist.conf] will override default blacklist filter
> >
> >But when we add seccomp support for qemu on libvirt, we make sure to
> >just add -sandbox off and use Paul's approach.
> >
> >Is that a reasonable approach? What do you think?
> >
> 
> QEMU wouldn't require any changes for the approach Paul describes.
> The QEMU process that is exec'd by libvirt would be constrained by
> the filter that libvirt installed.

Libvirt does not want to be in the business of creating seccomp syscall
filters for QEMU. As mentioned before, IMHO that places an unacceptable
burden on libvirt to know about the syscalls each a particular version
of QEMU requires for its operation.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



reply via email to

[Prev in Thread] Current Thread [Next in Thread]