[libvirt] [PATCHv2 4/4] qemu: deny privilege elevation and spawn in seccomp
Daniel P. Berrangé
berrange at redhat.com
Mon Apr 16 12:26:28 UTC 2018
On Tue, Apr 10, 2018 at 04:49:42PM +0200, Ján Tomko wrote:
> If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
> no longer tries to whitelist all the calls, but uses sets
> of blacklists:
> default (always blacklisted with -sandbox on)
> obsolete (defaults to deny)
> elevateprivileges (setuid & co, default: allow)
> spawn (fork & execve, default: allow)
> resourcecontrol (setaffinity, setscheduler, default: allow)
>
> If these are supported, default to sandbox with all four
> categories blacklisted.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1492597
>
> Signed-off-by: Ján Tomko <jtomko at redhat.com>
> ---
> src/qemu/qemu.conf | 7 +++---
> src/qemu/qemu_command.c | 10 +++++++++
> tests/qemuxml2argvdata/minimal-sandbox.args | 29 ++++++++++++++++++++++++
> tests/qemuxml2argvdata/minimal-sandbox.xml | 34 +++++++++++++++++++++++++++++
> tests/qemuxml2argvtest.c | 11 ++++++++++
> 5 files changed, 88 insertions(+), 3 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
> create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 07eab7eff..740129cf5 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -669,9 +669,10 @@
>
>
>
> -# Use seccomp syscall whitelisting in QEMU.
> -# 1 = on, 0 = off, -1 = use QEMU default
> -# Defaults to -1.
> +# Use seccomp syscall sandbox in QEMU.
> +# 1 = on, 0 = off, -1 = use the default
> +# For QEMUs using a whitelist, the default (-1) is off.
> +# For QEMUs using a blacklist, the default (-1) is on.
I'd suggest rewriting this a bit:
# 1 == seccomp enabled, 0 == seccomp disabled
#
# If it is unset (or -1), then seccomp will be enabled
# only if QEMU >= 2.11.0 is detected, otherwise it is
# left disabled. This ensures the default config gets
# protection for new QEMU using the blacklist approach.
> #
> #seccomp_sandbox = 1
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index ba279e640..fa5906d0b 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -9987,6 +9987,16 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd,
> return 0;
> }
>
> + /* Use blacklist by default if supported */
> + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
> + virCommandAddArgList(cmd, "-sandbox",
> + "on,obsolete=deny,elevateprivileges=deny,"
> + "spawn=deny,resourcecontrol=deny",
> + NULL);
> + return 0;
> + }
> +
> + /* Seccomp whitelist is opt-in */
> if (cfg->seccompSandbox > 0)
> virCommandAddArgList(cmd, "-sandbox", "on", NULL);
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list