Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all t

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all t

From:	Daniel P . Berrangé
Subject:	Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads
Date:	Wed, 22 Aug 2018 17:53:12 +0100
User-agent:	Mutt/1.10.1 (2018-07-13)

On Wed, Aug 22, 2018 at 05:43:36PM +0100, Daniel P. Berrangé wrote:
> On Wed, Aug 22, 2018 at 06:19:16PM +0200, Marc-André Lureau wrote:
> > Hi
> > 
> > On Wed, Aug 22, 2018 at 6:07 PM, Eric Blake <address@hidden> wrote:
> > > On 08/22/2018 10:58 AM, Marc-André Lureau wrote:
> > >
> > >>> At this point you might as well not bother using seccomp at all. The
> > >>> thread that is confined merely needs to scribble something into the
> > >>> stack of the unconfined thread and now it can do whatever it wants.
> > >>
> > >>
> > >> Actually, that message is incorrect, it should rather be "not all
> > >> threads will be filtered" (as described in commit message).
> > >>
> > >>> IMHO we need to find a way to get the policy to apply to those other
> > >>> threads.
> > >>
> > >>
> > >> That's what the patch is about ;)
> > >
> > >
> > > In other words, this patch is patching the gaping security hole that 
> > > already
> > > exists, but...
> > >
> > >>>> +++ b/qemu-options.hx
> > >>>> @@ -3864,6 +3864,8 @@ Disable set*uid|gid system calls
> > >>>>   Disable *fork and execve
> > >>>>   @item address@hidden
> > >>>>   Disable process affinity and schedular priority
> > >>>> address@hidden address@hidden
> > >>>> +Apply seccomp filter to all threads (default is auto, and will warn if
> > >>>> fail)
> > >>>
> > >>>
> > >>> IMHO this should never exist, as setting "tsync" to anything other
> > >>> than "yes", is akin to just running without any sandbox.
> > >>
> > >>
> > >> Then we should just fail -sandbox on those systems.
> > >
> > >
> > > ...leaving the backdoor open.  Yes, we should instead fix things to hard
> > > fail when -sandbox cannot fully protect the process, rather than adding a
> > > tsync=off backdoor to permit execution in spite of the insecurity.
> > 
> > Ok, -sandbox will now require libseccomp 2.2.0 (not available in
> > Debian oldstable - so it will fail at configure time) and kernel >=
> > 3.17 (error during start). If that sounds ok, I'll update the series.
> 
> Hmm, that will cause seccomp to be unusable for RHEL-7, prior to
> the 7.5 kernel, which has complications wrt libvirt using -sandbox
> by default.

None the less, lets just do what you propose here.

Distros without kernel support should explicitly disable seccomp in QEMU
at build time, then libvirt will "do the right thing".

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads, (continued)
- Re: [Qemu-devel] [PATCH v3 0/3] seccomp fixes, Eduardo Otubo, 2018/08/22

Prev by Date: Re: [Qemu-devel] [PATCH v1 1/8] s390x/tcg: factor out and fix DATA exception injection
Next by Date: [Qemu-devel] [PATCH v4 1/4] seccomp: use SIGSYS signal instead of killing the thread
Previous by thread: Re: [Qemu-devel] [PATCH v3 3/3] seccomp: set the seccomp filter to all threads
Next by thread: Re: [Qemu-devel] [PATCH v3 0/3] seccomp fixes
Index(es):
- Date
- Thread