[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line |
Date: |
Tue, 14 Mar 2017 11:52:53 +0000 |
User-agent: |
Mutt/1.7.1 (2016-10-04) |
On Tue, Mar 14, 2017 at 12:47:10PM +0100, Paolo Bonzini wrote:
>
>
> On 14/03/2017 12:32, Eduardo Otubo wrote:
> > This patch introduces the new argument [,elevateprivileges=deny] to the
> > `-sandbox on'. It avoids Qemu process to elevate its privileges by
> > blacklisting all set*uid|gid system calls
> >
> > Signed-off-by: Eduardo Otubo <address@hidden>
> > ---
> > include/sysemu/seccomp.h | 1 +
> > qemu-options.hx | 8 ++++++--
> > qemu-seccomp.c | 28 ++++++++++++++++++++++++++++
> > vl.c | 11 +++++++++++
> > 4 files changed, 46 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
> > index 7a7bde246b..e6e78d85ce 100644
> > --- a/include/sysemu/seccomp.h
> > +++ b/include/sysemu/seccomp.h
> > @@ -16,6 +16,7 @@
> > #define QEMU_SECCOMP_H
> >
> > #define OBSOLETE 0x0001
> > +#define PRIVILEGED 0x0010
> >
> > #include <seccomp.h>
> >
> > diff --git a/qemu-options.hx b/qemu-options.hx
> > index 1403d0c85f..47018db5aa 100644
> > --- a/qemu-options.hx
> > +++ b/qemu-options.hx
> > @@ -3732,8 +3732,10 @@ Old param mode (ARM only).
> > ETEXI
> >
> > DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
> > - "-sandbox on[,obsolete=allow] Enable seccomp mode 2 system call
> > filter (default 'off').\n" \
> > - " obsolete: Allow obsolete system calls",
> > + "-sandbox on[,obsolete=allow][,elevateprivileges=deny]\n" \
> > + " Enable seccomp mode 2 system call
> > filter (default 'off').\n" \
> > + " obsolete: Allow obsolete system
> > calls\n" \
> > + " elevateprivileges: avoids Qemu process
> > to elevate its privileges by blacklisting all set*uid|gid system calls",
>
> Why allow these by default?
The goal is that '-sandbox on' should not break *any* QEMU feature. It
needs to be a safe thing that people can unconditionally turn on without
thinking about it. The QEMU bridge helper requires setuid privs, hence
elevated privileges needs to be permitted by default. Similarly I could
see the qemu ifup scripts, or migrate 'exec' command wanting to elevate
privs via setuid binaries if QEMU was running unprivileged.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
- [Qemu-devel] [PATCH 0/5] seccomp: feature refactoring, Eduardo Otubo, 2017/03/14
- [Qemu-devel] [PATCH 2/5] seccomp: add obsolete argument to command line, Eduardo Otubo, 2017/03/14
- [Qemu-devel] [PATCH 5/5] seccomp: add resourcecontrol argument to command line, Eduardo Otubo, 2017/03/14
- [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line, Eduardo Otubo, 2017/03/14
- Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line, Paolo Bonzini, 2017/03/14
- Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line, Eduardo Otubo, 2017/03/14
- Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line, Paolo Bonzini, 2017/03/14
- Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line, Daniel P. Berrange, 2017/03/14
- Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line, Paolo Bonzini, 2017/03/14
- Re: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line, Daniel P. Berrange, 2017/03/14
[Qemu-devel] [PATCH 1/5] seccomp: changing from whitelist to blacklist, Eduardo Otubo, 2017/03/14
[Qemu-devel] [PATCH 4/5] seccomp: add spawn argument to command line, Eduardo Otubo, 2017/03/14