Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitel

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitel

From:	Paul Moore
Subject:	Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitelist
Date:	Fri, 03 Jan 2014 15:46:47 -0500
User-agent:	KMail/4.11.4 (Linux/3.12.4-gentoo; KDE/4.11.4; x86_64; ; )

On Friday, January 03, 2014 09:24:57 PM Paolo Bonzini wrote:
> Il 03/01/2014 20:58, Paul Moore ha scritto:
> > The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
> > "/run/user/<UID>/pulse" which is currently blocked by the syscall
> > filter; this patch adds the two missing syscalls to the whitelist.
> > 
> > You can reproduce this problem with the following command:
> >  # qemu -monitor stdio -device intel-hda -device hda-duplex
> > 
> > If watched under strace the following syscalls are shown:
> >  mkdir("/run/user/0/pulse", 0700)
> >  fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]
> 
> Can fchmod be exploited to violate the sandbox (e.g. to let data escape
> from a VM that ought not to have any way to communicate with the outside
> world)?

Technically, there is the potential for any syscall to be exploited in such a 
way that a malicious guest could gain greater access than desired and do 
something evil with that access.  After all, that was the motivation behind 
seccomp: disable unused syscalls to reduce the chance of an attacker 
exploiting a syscall bug.

The important thing to remember here is that the seccomp code in QEMU is not 
enabling syscalls, it is disabling them.  In other words, a QEMU instance with 
the seccomp functionality enabled, e.g. '-sandbox on', only reduces the number 
of syscalls available to the QEMU process, it never increases or adds 
vulnerable syscalls to the QEMU process.

Granted, yes, there are syscalls in the current whitelist that I wish we could 
disable, but we are still trying to arrive a whitelist that is all 
encompassing (or close to it) with respect to QEMU functionality.  Once we 
have that list in hand (each fix like the one I posted gets us closer) we can 
start looking at selectively shrinking the whitelist*.

* We've talked about this on-list previously and there are several approaches 
here, some include conditionally adding/removing syscalls based on the QEMU 
functionality requested, e.g. command line, different sandbox "profiles", e.g. 
standalone vs libvirt, and staged seccomp filters, e.g. a whitelist followed 
by progressively tighter blacklists.

-- 
paul moore
security and virtualization @ redhat

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitelist, Paul Moore, 2014/01/03
- Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitelist, Paolo Bonzini, 2014/01/03
  - Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitelist, Paul Moore <=

Prev by Date: Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitelist
Next by Date: Re: [Qemu-devel] [PATCH 1/2] hw/net: add support for Allwinner EMAC Fast Ethernet controller
Previous by thread: Re: [Qemu-devel] [PATCH] seccomp: add mkdir() and fchmod() to the whitelist
Next by thread: [Qemu-devel] [PATCH target-arm v2 1/1] arm/xilinx_zynq: Always instantiate the GEMs
Index(es):
- Date
- Thread