On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote: > "Daniel P. Berrange" <berra...@redhat.com> writes: > > > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote: > >> "Namsun Ch'o" <namn...@safe-mail.net> writes: > >> > >> > The seccomp sandbox doesn't whitelist setuid, setgid, or > >> > setgroups, which are > >> > needed for -runas to work. It also doesn't whitelist chroot, which is > >> > needed > >> > for the -chroot option. Unfortunately, QEMU enables seccomp before it > >> > drops > >> > privileges or chroots, so without these whitelisted, -runas and > >> > -chroot cause > >> > QEMU to be killed with -sandbox on. This patch adds those syscalls. > >> > >> Should it enable seccomp a bit later? > > > > Yeah, I think it would be better to move the seccomp enablement later. > > Let's do that then.
Where exactly you guys think we could call seccomp enablement? Right it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I guess it is as later as it could. > > > Adding setuid and chroot to the allow list is pretty strongly undesirable > > from a security protection POV. > > Indeed. -- Eduardo Otubo ProfitBricks GmbH
signature.asc
Description: Digital signature
