qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] RFC: How to make seccomp reliable and useful ?


From: Daniel P. Berrange
Subject: Re: [Qemu-devel] RFC: How to make seccomp reliable and useful ?
Date: Thu, 2 Mar 2017 09:35:26 +0000
User-agent: Mutt/1.7.1 (2016-10-04)

On Wed, Mar 01, 2017 at 11:38:56PM +0100, Eduardo Otubo wrote:
> On Thu, Feb 16, 2017 at 09=33=16AM +0000, Daniel P. Berrange wrote:
> > On Thu, Feb 16, 2017 at 12:36:51AM +0100, Eduardo Otubo wrote:
> > > On Wed, Feb 15, 2017 at 06=27=32PM +0000, Daniel P. Berrange wrote:
> 
> [...]
> 
> > > > 
> > > > There is a reasonable easily identifiable set of syscalls that QEMU 
> > > > should
> > > > never be permitted to use, no matter what configuration it is in, what 
> > > > helpers
> > > > it spawns, or what libraries it links to. eg reboot, swapon, swapoff,  
> > > > syslog,
> > > > mount, unmount, kexec_*, etc - any syscall that affects global system 
> > > > state,
> > > > rather than process local state should be forbidden.
> > > > 
> > > > There are some syscalls that are simply hardcoded to return ENOSYS 
> > > > which can
> > > > be trivially blacklisted. afs_syscall, break, fattach, ftime, etc (see 
> > > > the
> > > > man page 'unimplemented(2)').
> 
> I've been working on the blacklist, you can see here:
> https://github.com/otubo/qemu/commit/31e603180081474ff35c5897813cb635f8e9a786
> 
> I didn't send as an RFC to the list because it's still an on going work,
> but if you have any comments, please feel free.
> 
> > > > 
> > > > There are some syscalls which are considered obsolete - they were 
> > > > previously
> > > > useful, but no modern code would call them, as they have been 
> > > > superceeded.
> > > > For example, readdir replaced by getdents. We could blacklist these by 
> > > > default
> > > > but provide a way to allow use of obsolete syscalls if running on older 
> > > > systems.
> > > > e.g. '-sandbox on,obsolete=allow'. They might be obsolete enough that 
> > > > we decide
> > > > to just block them permanently with no opt in - would need to analyse 
> > > > when
> > > > their replacements appeared in widespread use.
> 
> The obsolete part is also on my github (didn't send for the same
> reason):
> https://github.com/otubo/qemu/commit/54a57eb150ca3e5b67e9a81394c6cfa4ac82a6ff
> 
> Also, can't find anywhere a solid list of obsolete system calls, can you
> elaborate a little more on how to determine this list?

Systemd has such a list in ./src/shared/seccomp-util.c
Look for the array containing SYSCALL_FILTER_SET_OBSOLETE


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|



reply via email to

[Prev in Thread] Current Thread [Next in Thread]