Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new sec

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new sec

From:	Daniel P. Berrange
Subject:	Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new seccomp model
Date:	Wed, 2 Aug 2017 13:39:48 +0100
User-agent:	Mutt/1.8.3 (2017-05-23)

On Fri, Jul 28, 2017 at 02:10:40PM +0200, Eduardo Otubo wrote:
> Adding new documention under docs/ to describe every one and each new
> option added by the seccomp refactoring patchset.
> 
> Signed-off-by: Eduardo Otubo <address@hidden>
> ---
>  docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>  create mode 100644 docs/seccomp.txt
> 
> diff --git a/docs/seccomp.txt b/docs/seccomp.txt
> new file mode 100644
> index 0000000000..4b7edba312
> --- /dev/null
> +++ b/docs/seccomp.txt
> @@ -0,0 +1,31 @@
> +QEMU Seccomp system call filter
> +===============================
> +
> +Starting from Qemu version 2.10, the seccomp filter does not work as a
> +whitelist but as a blacklist instead. This method allows safer deploys since
> +only the strictly forbidden system calls will be black-listed and the
> +possibility of breaking any workload is close to zero.
> +
> +The default option (-sandbox on) has a slightly looser security though and 
> the
> +reason is that it shouldn't break any backwards compatibility with previous
> +deploys and command lines already running. But if the intent is to have a
> +better security from this version on, one should make use of the following
> +additional options properly:
> +
> +* [,obsolete=allow]: It allows Qemu to run safely on old system that still
> +  relies on old system calls.

We should support 'allow' and 'deny' for all of the options. THis allows
the callers to be explicit about the state, if they don't wish to rely on
the QEMU defaults

> +
> +* [,elevateprivileges=deny|allow|children]: It allows or denies Qemu process
> +  to elevate its privileges by blacklisting all set*uid|gid system calls. The
> +  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
> +  (forls and execs) to run unprivileged.
> +
> +* [,spawn=deny]: It blacklists fork and execve syste calls, avoiding Qemu to
> +  spawn new threads or processes.
> +
> +* [,resourcecontrol=deny]: It blacklists all process affinity and scheduler
> +  priority system calls to avoid any bigger of the process.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new seccomp model, Daniel P. Berrange <=
- Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new seccomp model, Thomas Huth, 2017/08/03

Prev by Date: Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line
Next by Date: Re: [Qemu-devel] [PATCH v2 1/4] qemu-img: Sort sub-command names in --help
Previous by thread: Re: [Qemu-devel] [PATCH v3 3/6] seccomp: add elevateprivileges argument to command line
Next by thread: Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new seccomp model
Index(es):
- Date
- Thread