[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the secc
|
From: |
Eduardo Otubo |
|
Subject: |
Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox |
|
Date: |
Fri, 2 Oct 2015 16:08:20 +0200 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote:
> "Daniel P. Berrange" <address@hidden> writes:
>
> > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote:
> >> "Namsun Ch'o" <address@hidden> writes:
> >>
> >> > The seccomp sandbox doesn't whitelist setuid, setgid, or
> >> > setgroups, which are
> >> > needed for -runas to work. It also doesn't whitelist chroot, which is
> >> > needed
> >> > for the -chroot option. Unfortunately, QEMU enables seccomp before it
> >> > drops
> >> > privileges or chroots, so without these whitelisted, -runas and
> >> > -chroot cause
> >> > QEMU to be killed with -sandbox on. This patch adds those syscalls.
> >>
> >> Should it enable seccomp a bit later?
> >
> > Yeah, I think it would be better to move the seccomp enablement later.
>
> Let's do that then.
Where exactly you guys think we could call seccomp enablement? Right
it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I
guess it is as later as it could.
>
> > Adding setuid and chroot to the allow list is pretty strongly undesirable
> > from a security protection POV.
>
> Indeed.
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox, Eduardo Otubo, 2015/10/09