We'll soon be introducing a second whitelist that prevents
execve() right before the main_loop() is entered. In preparation,
we need to gracefully disable use of exec'd scripts/binaries when
hotplugging network devices. For example, the following will not
be allowed:
netdev_add tap,id=tapdev0
netdev_add bridge
host_net_add tap
host_net_add bridge
v2: * Error messages moved to the backend function, net_init_tap(),
recommended by Paolo Bonzini
* Documentation added to QMP and HMP commands, and also to the Qemu
* options.
v3: * Prevent hotplug of network devices only when execve() would be
called by checking seccomp_get_state(). (pbonz...@redhat.com)
* Update enum seccomp_states with new states for 2 whitelists.
* Remove #ifdef preprocesser tests where possible
(pbonz...@redhat.com)
* Update network monitor and -sandbox command line documentation.
Signed-off-by: Eduardo Otubo <ot...@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <cor...@linux.vnet.ibm.com>
---
hmp-commands.hx | 12 ++++++------
net/tap.c | 13 +++++++++++++
qemu-options.hx | 11 +++++++++--
qemu-seccomp.h | 4 +++-
qmp-commands.hx | 3 ++-
5 files changed, 33 insertions(+), 10 deletions(-)
diff --git a/hmp-commands.hx b/hmp-commands.hx
index f916385..6530a21 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1103,15 +1103,15 @@ ETEXI
{
.name = "host_net_add",
.args_type = "device:s,opts:s?",
- .params = "tap|user|socket|vde|dump [options]",
- .help = "add host VLAN client",
+ .params = "tap|bridge|user|socket|vde|dump [options]",
+ .help = "add host VLAN client (options that exec programs are
disabled when -sandbox is in use)",
.mhandler.cmd = net_host_device_add,
},
STEXI
@item host_net_add
@findex host_net_add
-Add host VLAN client.
+Add host VLAN client (options that exec programs are disabled when -sandbox is
in use).
ETEXI
{
@@ -1131,15 +1131,15 @@ ETEXI
{
.name = "netdev_add",
.args_type = "netdev:O",
- .params = "[user|tap|socket],id=str[,prop=value][,...]",
- .help = "add host network device",
+ .params = "[user|tap|bridge|socket],id=str[,prop=value][,...]",
+ .help = "add host network device (options that exec programs are
disabled when -sandbox is in use)",
.mhandler.cmd = hmp_netdev_add,
},
STEXI
@item netdev_add
@findex netdev_add
-Add host network device.
+Add host network device (options that exec programs are disabled when -sandbox
is in use).
ETEXI
{
diff --git a/net/tap.c b/net/tap.c
index df89caa..b72a012 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -40,6 +40,7 @@
#include "qemu-char.h"
#include "qemu-common.h"
#include "qemu-error.h"
+#include "qemu-seccomp.h"
#include "net/tap-linux.h"
@@ -352,6 +353,12 @@ static int launch_script(const char *setup_script, const
char *ifname, int fd)
char *args[3];
char **parg;
+ if (seccomp_get_state() >= SECCOMP_MAIN_LOOP) {
+ error_report("Cannot execute network script from QEMU monitor "
+ "when -sandbox is in effect");
+ return -1;
+ }
+
/* try to launch network script */
pid = fork();
if (pid == 0) {
@@ -426,6 +433,12 @@ static int net_bridge_run_helper(const char *helper, const
char *bridge)
char **parg;
int sv[2];
+ if (seccomp_get_state() >= SECCOMP_MAIN_LOOP) {
+ error_report("Cannot execute network helper from QEMU monitor "
+ "when -sandbox is in effect");
+ return -1;
+ }
+
sigemptyset(&mask);
sigaddset(&mask, SIGCHLD);
sigprocmask(SIG_BLOCK, &mask, &oldmask);
diff --git a/qemu-options.hx b/qemu-options.hx
index fe8f15c..f7277a0 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1584,6 +1584,8 @@ attach it to the bridge. The default network helper
executable is
@file{/usr/local/libexec/qemu-bridge-helper} and the default bridge
device is @file{br0}.
+Note that QEMU cannot execute a setuid program if -sandbox is in effect.
+
Examples:
@example
@@ -2798,8 +2800,13 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
STEXI
@item -sandbox
@findex -sandbox
-Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering
and 'off' will
-disable it. The default is 'off'.
+Enable Seccomp mode 2 system call filter. 'on' will enable system call
filtering
+and 'off' will disable it. The default is 'on'.
+
+Note that when '-sandbox on' is in effect, execution of programs where
privilege
+granting operations occur during exec will be disabled. For example, QEMU will
+not be able to execute a setuid binary to change its uid or gid. Additionally,
+network monitor commands that cause programs to be executed will be disabled.
ETEXI
DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig,
diff --git a/qemu-seccomp.h b/qemu-seccomp.h
index fa26d70..686db09 100644
--- a/qemu-seccomp.h
+++ b/qemu-seccomp.h
@@ -21,7 +21,9 @@
enum seccomp_states {
SECCOMP_OFF,
- SECCOMP_ON
+ SECCOMP_ON,
+ SECCOMP_INIT,
+ SECCOMP_MAIN_LOOP
};
void seccomp_set_state(int);
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 5c692d0..26252a4 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -757,7 +757,8 @@ Example:
Note: The supported device options are the same ones supported by the '-net'
command-line argument, which are listed in the '-help' output or QEMU's
- manual
+ manual. Note that options that exec programs are disabled when -sandbox
+ is in use.
EQMP
--
1.7.10.4
