On Wed, Mar 01, 2017 at 11:38:56PM +0100, Eduardo Otubo wrote: > On Thu, Feb 16, 2017 at 09=33=16AM +0000, Daniel P. Berrange wrote: > > On Thu, Feb 16, 2017 at 12:36:51AM +0100, Eduardo Otubo wrote: > > > On Wed, Feb 15, 2017 at 06=27=32PM +0000, Daniel P. Berrange wrote: > > [...] > > > > > > > > > There is a reasonable easily identifiable set of syscalls that QEMU > > > > should > > > > never be permitted to use, no matter what configuration it is in, what > > > > helpers > > > > it spawns, or what libraries it links to. eg reboot, swapon, swapoff, > > > > syslog, > > > > mount, unmount, kexec_*, etc - any syscall that affects global system > > > > state, > > > > rather than process local state should be forbidden. > > > > > > > > There are some syscalls that are simply hardcoded to return ENOSYS > > > > which can > > > > be trivially blacklisted. afs_syscall, break, fattach, ftime, etc (see > > > > the > > > > man page 'unimplemented(2)'). > > I've been working on the blacklist, you can see here: > https://github.com/otubo/qemu/commit/31e603180081474ff35c5897813cb635f8e9a786 > > I didn't send as an RFC to the list because it's still an on going work, > but if you have any comments, please feel free. > > > > > > > > > There are some syscalls which are considered obsolete - they were > > > > previously > > > > useful, but no modern code would call them, as they have been > > > > superceeded. > > > > For example, readdir replaced by getdents. We could blacklist these by > > > > default > > > > but provide a way to allow use of obsolete syscalls if running on older > > > > systems. > > > > e.g. '-sandbox on,obsolete=allow'. They might be obsolete enough that > > > > we decide > > > > to just block them permanently with no opt in - would need to analyse > > > > when > > > > their replacements appeared in widespread use. > > The obsolete part is also on my github (didn't send for the same > reason): > https://github.com/otubo/qemu/commit/54a57eb150ca3e5b67e9a81394c6cfa4ac82a6ff > > Also, can't find anywhere a solid list of obsolete system calls, can you > elaborate a little more on how to determine this list?
Systemd has such a list in ./src/shared/seccomp-util.c Look for the array containing SYSCALL_FILTER_SET_OBSOLETE Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
