On Fri, Oct 02, 2015 at 04:08:20PM +0200, Eduardo Otubo wrote: > On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote: > > "Daniel P. Berrange" <berra...@redhat.com> writes: > > > > > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote: > > >> "Namsun Ch'o" <namn...@safe-mail.net> writes: > > >> > > >> > The seccomp sandbox doesn't whitelist setuid, setgid, or > > >> > setgroups, which are > > >> > needed for -runas to work. It also doesn't whitelist chroot, which is > > >> > needed > > >> > for the -chroot option. Unfortunately, QEMU enables seccomp before it > > >> > drops > > >> > privileges or chroots, so without these whitelisted, -runas and > > >> > -chroot cause > > >> > QEMU to be killed with -sandbox on. This patch adds those syscalls. > > >> > > >> Should it enable seccomp a bit later? > > > > > > Yeah, I think it would be better to move the seccomp enablement later. > > > > Let's do that then. > > Where exactly you guys think we could call seccomp enablement? Right > it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I > guess it is as later as it could.
It depends on what you consider seccomp to be protecting against. I think its primary goal is to protect against exploit after a guest OS breakout, in which case it does not need to be enabled until the guest CPUs start executing, which IIUC, means immediately before main_loop(). If we intend seccomp to protect against flaws during QEMU setup, then having it earlier is neccessary. eg QEMU opening a corrupt qcow2 image which might exploit QEMU before the guest CPUs start. If the latter is the case, then we could start with a relaxed seccomp sandbox which included the setuid/chroot features, and then switch to a more restricted one which blocked them before main_loop() runs. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
