[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitel
From: |
Paul Moore |
Subject: |
Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitelist |
Date: |
Fri, 03 Jan 2014 15:46:47 -0500 |
User-agent: |
KMail/4.11.4 (Linux/3.12.4-gentoo; KDE/4.11.4; x86_64; ; ) |
On Friday, January 03, 2014 09:24:57 PM Paolo Bonzini wrote:
> Il 03/01/2014 20:58, Paul Moore ha scritto:
> > The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
> > "/run/user/<UID>/pulse" which is currently blocked by the syscall
> > filter; this patch adds the two missing syscalls to the whitelist.
> >
> > You can reproduce this problem with the following command:
> > # qemu -monitor stdio -device intel-hda -device hda-duplex
> >
> > If watched under strace the following syscalls are shown:
> > mkdir("/run/user/0/pulse", 0700)
> > fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]
>
> Can fchmod be exploited to violate the sandbox (e.g. to let data escape
> from a VM that ought not to have any way to communicate with the outside
> world)?
Technically, there is the potential for any syscall to be exploited in such a
way that a malicious guest could gain greater access than desired and do
something evil with that access. After all, that was the motivation behind
seccomp: disable unused syscalls to reduce the chance of an attacker
exploiting a syscall bug.
The important thing to remember here is that the seccomp code in QEMU is not
enabling syscalls, it is disabling them. In other words, a QEMU instance with
the seccomp functionality enabled, e.g. '-sandbox on', only reduces the number
of syscalls available to the QEMU process, it never increases or adds
vulnerable syscalls to the QEMU process.
Granted, yes, there are syscalls in the current whitelist that I wish we could
disable, but we are still trying to arrive a whitelist that is all
encompassing (or close to it) with respect to QEMU functionality. Once we
have that list in hand (each fix like the one I posted gets us closer) we can
start looking at selectively shrinking the whitelist*.
* We've talked about this on-list previously and there are several approaches
here, some include conditionally adding/removing syscalls based on the QEMU
functionality requested, e.g. command line, different sandbox "profiles", e.g.
standalone vs libvirt, and staged seccomp filters, e.g. a whitelist followed
by progressively tighter blacklists.
--
paul moore
security and virtualization @ redhat