[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] RFC: How to make seccomp reliable and useful ?
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] RFC: How to make seccomp reliable and useful ? |
Date: |
Thu, 2 Mar 2017 09:35:26 +0000 |
User-agent: |
Mutt/1.7.1 (2016-10-04) |
On Wed, Mar 01, 2017 at 11:38:56PM +0100, Eduardo Otubo wrote:
> On Thu, Feb 16, 2017 at 09=33=16AM +0000, Daniel P. Berrange wrote:
> > On Thu, Feb 16, 2017 at 12:36:51AM +0100, Eduardo Otubo wrote:
> > > On Wed, Feb 15, 2017 at 06=27=32PM +0000, Daniel P. Berrange wrote:
>
> [...]
>
> > > >
> > > > There is a reasonable easily identifiable set of syscalls that QEMU
> > > > should
> > > > never be permitted to use, no matter what configuration it is in, what
> > > > helpers
> > > > it spawns, or what libraries it links to. eg reboot, swapon, swapoff,
> > > > syslog,
> > > > mount, unmount, kexec_*, etc - any syscall that affects global system
> > > > state,
> > > > rather than process local state should be forbidden.
> > > >
> > > > There are some syscalls that are simply hardcoded to return ENOSYS
> > > > which can
> > > > be trivially blacklisted. afs_syscall, break, fattach, ftime, etc (see
> > > > the
> > > > man page 'unimplemented(2)').
>
> I've been working on the blacklist, you can see here:
> https://github.com/otubo/qemu/commit/31e603180081474ff35c5897813cb635f8e9a786
>
> I didn't send as an RFC to the list because it's still an on going work,
> but if you have any comments, please feel free.
>
> > > >
> > > > There are some syscalls which are considered obsolete - they were
> > > > previously
> > > > useful, but no modern code would call them, as they have been
> > > > superceeded.
> > > > For example, readdir replaced by getdents. We could blacklist these by
> > > > default
> > > > but provide a way to allow use of obsolete syscalls if running on older
> > > > systems.
> > > > e.g. '-sandbox on,obsolete=allow'. They might be obsolete enough that
> > > > we decide
> > > > to just block them permanently with no opt in - would need to analyse
> > > > when
> > > > their replacements appeared in widespread use.
>
> The obsolete part is also on my github (didn't send for the same
> reason):
> https://github.com/otubo/qemu/commit/54a57eb150ca3e5b67e9a81394c6cfa4ac82a6ff
>
> Also, can't find anywhere a solid list of obsolete system calls, can you
> elaborate a little more on how to determine this list?
Systemd has such a list in ./src/shared/seccomp-util.c
Look for the array containing SYSCALL_FILTER_SET_OBSOLETE
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|