[libvirt] [PATCHv2 4/4] qemu: deny privilege elevation and spawn in seccomp

Mon Apr 16 12:26:28 UTC 2018

On Tue, Apr 10, 2018 at 04:49:42PM +0200, Ján Tomko wrote:
> If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
> no longer tries to whitelist all the calls, but uses sets
> of blacklists:
> default (always blacklisted with -sandbox on)
> obsolete (defaults to deny)
> elevateprivileges (setuid & co, default: allow)
> spawn (fork & execve, default: allow)
> resourcecontrol (setaffinity, setscheduler, default: allow)
> 
> If these are supported, default to sandbox with all four
> categories blacklisted.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1492597
> 
> Signed-off-by: Ján Tomko <jtomko at redhat.com>
> ---
>  src/qemu/qemu.conf                          |  7 +++---
>  src/qemu/qemu_command.c                     | 10 +++++++++
>  tests/qemuxml2argvdata/minimal-sandbox.args | 29 ++++++++++++++++++++++++
>  tests/qemuxml2argvdata/minimal-sandbox.xml  | 34 +++++++++++++++++++++++++++++
>  tests/qemuxml2argvtest.c                    | 11 ++++++++++
>  5 files changed, 88 insertions(+), 3 deletions(-)
>  create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
>  create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml
> 
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 07eab7eff..740129cf5 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -669,9 +669,10 @@
>  
>  
>  
> -# Use seccomp syscall whitelisting in QEMU.
> -# 1 = on, 0 = off, -1 = use QEMU default
> -# Defaults to -1.
> +# Use seccomp syscall sandbox in QEMU.
> +# 1 = on, 0 = off, -1 = use the default
> +# For QEMUs using a whitelist, the default (-1) is off.
> +# For QEMUs using a blacklist, the default (-1) is on.

I'd suggest rewriting this a bit:

 # 1 == seccomp enabled, 0 == seccomp disabled
 # 
 # If it is unset (or -1), then seccomp will be enabled
 # only if QEMU >= 2.11.0 is detected, otherwise it is
 # left disabled. This ensures the default config gets
 # protection for new QEMU using the blacklist approach.

>  #
>  #seccomp_sandbox = 1
>  
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index ba279e640..fa5906d0b 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -9987,6 +9987,16 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd,
>          return 0;
>      }
>  
> +    /* Use blacklist by default if supported */
> +    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
> +        virCommandAddArgList(cmd, "-sandbox",
> +                             "on,obsolete=deny,elevateprivileges=deny,"
> +                             "spawn=deny,resourcecontrol=deny",
> +                             NULL);
> +        return 0;
> +    }
> +
> +    /* Seccomp whitelist is opt-in */
>      if (cfg->seccompSandbox > 0)
>          virCommandAddArgList(cmd, "-sandbox", "on", NULL);

Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|