[Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox

Namsun Ch'o Thu, 01 Oct 2015 04:50:41 -0700

The seccomp sandbox doesn't whitelist setuid, setgid, or setgroups, which are
needed for -runas to work. It also doesn't whitelist chroot, which is needed
for the -chroot option. Unfortunately, QEMU enables seccomp before it drops
privileges or chroots, so without these whitelisted, -runas and -chroot cause
QEMU to be killed with -sandbox on. This patch adds those syscalls.


Signed-off-by: Namsun Ch'o <namn...@safe-mail.net>
---
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index f9de0d3..5cb1809 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -237,7 +237,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] 
= {
     { SCMP_SYS(fadvise64), 240 },
     { SCMP_SYS(inotify_init1), 240 },
     { SCMP_SYS(inotify_add_watch), 240 },
-    { SCMP_SYS(mbind), 240 }
+    { SCMP_SYS(mbind), 240 },
+    { SCMP_SYS(setuid), 240 },
+    { SCMP_SYS(setgid), 240 },
+    { SCMP_SYS(chroot), 240 },
+    { SCMP_SYS(setgroups), 240 }
 };

 int seccomp_start(void)

[Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the seccomp sandbox

Reply via email to