On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote: > "Namsun Ch'o" <namn...@safe-mail.net> writes: > > > The seccomp sandbox doesn't whitelist setuid, setgid, or setgroups, which > > are > > needed for -runas to work. It also doesn't whitelist chroot, which is needed > > for the -chroot option. Unfortunately, QEMU enables seccomp before it drops > > privileges or chroots, so without these whitelisted, -runas and -chroot > > cause > > QEMU to be killed with -sandbox on. This patch adds those syscalls. > > Should it enable seccomp a bit later?
Yeah, I think it would be better to move the seccomp enablement later. Adding setuid and chroot to the allow list is pretty strongly undesirable from a security protection POV. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
