On 09/24/2018 11:49 AM, Ian Jackson wrote:
> George Dunlap writes ("[PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU
> sandboxing"):
>> QEMU has a `sandbox` feature, wherein it will use seccomp2 to restrict
>> what system calls it is able to make.
> ...
>> + flexarray_append(dm_args,
>> "on,obsolete=deny,elevateprivileges=allow,spawn=deny,resourcecontrol=deny");
>
> Why `elevateprivileges=allow' ?
From qemu-depriv.md:
`elevateprivileges` is currently required to allow `-runas` to work.
Removing this requirement would mean making sure that the uid change
happened before the seccomp2 call, perhaps by changing the uid before
executing QEMU. (But this would then require other changes to create
the QMP socket, VNC socket, and so on).
Should I C&P this into a comment here?
> In this syntax, what happens with unmentioned abilities ?
Good question -- the -help doesn't seem to say. Looking at the code
(qemu-seccomp.c:parse_sandbox()) for those who want to follow along at
home), it seems different options have different default values (which
are not mentioned) -- obsolete is default deny, but spawn,
elevateprivileges, and resourcsecontrol are default allow.
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
