On Thu, Oct 01, 2015 at 12=36=05AM -0400, Namsun Ch'o wrote:
> The seccomp sandbox doesn't whitelist setuid, setgid, or setgroups, which are
> needed for -runas to work. It also doesn't whitelist chroot, which is needed
> for the -chroot option. Unfortunately, QEMU enables seccomp before it drops
> privileges or chroots, so without these whitelisted, -runas and -chroot cause
> QEMU to be killed with -sandbox on. This patch adds those syscalls.
>
> Signed-off-by: Namsun Ch'o <namn...@safe-mail.net>
> ---
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index f9de0d3..5cb1809 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -237,7 +237,11 @@ static const struct QemuSeccompSyscall
> seccomp_whitelist[] = {
> { SCMP_SYS(fadvise64), 240 },
> { SCMP_SYS(inotify_init1), 240 },
> { SCMP_SYS(inotify_add_watch), 240 },
> - { SCMP_SYS(mbind), 240 }
> + { SCMP_SYS(mbind), 240 },
> + { SCMP_SYS(setuid), 240 },
> + { SCMP_SYS(setgid), 240 },
> + { SCMP_SYS(chroot), 240 },
> + { SCMP_SYS(setgroups), 240 }
> };
>
> int seccomp_start(void)Breaking a qemu use case is justification enough to whitelist more syscalls, but we can come up with a better solution for this (continue the thread) and tighten up this in the future. Thanks for your contribution. Acked-by: Eduardo Otubo <eduardo.ot...@profitbricks.com> ps.: the threads are still being broken by your emails and it's a pain to track down all of them in order to read. Please fix it. -- Eduardo Otubo ProfitBricks GmbH
signature.asc
Description: Digital signature
