[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [RFC PATCH 0/2] qemu: deny privilege elevation and spawn in seccomp



QEMU changed the behavior of -sandbox on since 2.11 and it no longer
whitelists all the possible calls.

Override the meaning of seccomp_sandbox = 1 in qemu.conf
to block the privilege elevation set and spawn set on top of the
default.
Do the same by default even if no option is specified, hoping
that this should be enough for everybody (TM)

Sending as RFC to ask whether:
* this is a sensible default
* a coarse setting like this is enough
  or it makes sense to expose the individual sets in qemu.conf
  (in that case - can I reasonably promote an int setting to a list of strings?)

Ján Tomko (2):
  Introduce QEMU_CAPS_SECCOMP_BLACKLIST
  qemu: deny privilege elevation and spawn in seccomp

 src/qemu/qemu_capabilities.c                       |  2 ++
 src/qemu/qemu_capabilities.h                       |  1 +
 src/qemu/qemu_command.c                            | 10 +++++--
 tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |  1 +
 tests/qemuxml2argvdata/minimal-sandbox.args        | 25 ++++++++++++++++
 tests/qemuxml2argvdata/minimal-sandbox.xml         | 34 ++++++++++++++++++++++
 tests/qemuxml2argvtest.c                           |  3 ++
 11 files changed, 78 insertions(+), 2 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml

-- 
2.13.6


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]