On Fri, Apr 13, 2018 at 10:08:34AM -0400, John Ferlan wrote:
On 04/10/2018 10:49 AM, Ján Tomko wrote:
If QEMU uses a seccomp blacklist (since 2.11), -sandbox on no longer tries to whitelist all the calls, but uses sets of blacklists: default (always blacklisted with -sandbox on) obsolete (defaults to deny) elevateprivileges (setuid & co, default: allow) spawn (fork & execve, default: allow) resourcecontrol (setaffinity, setscheduler, default: allow)
If these are supported, default to sandbox with all four categories blacklisted.
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
Signed-off-by: Ján Tomko <jtomko@redhat.com> --- src/qemu/qemu.conf | 7 +++--- src/qemu/qemu_command.c | 10 +++++++++ tests/qemuxml2argvdata/minimal-sandbox.args | 29 ++++++++++++++++++++++++ tests/qemuxml2argvdata/minimal-sandbox.xml | 34 +++++++++++++++++++++++++++++ tests/qemuxml2argvtest.c | 11 ++++++++++ 5 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 07eab7eff..740129cf5 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -669,9 +669,10 @@
-# Use seccomp syscall whitelisting in QEMU. -# 1 = on, 0 = off, -1 = use QEMU default -# Defaults to -1. +# Use seccomp syscall sandbox in QEMU. +# 1 = on, 0 = off, -1 = use the default +# For QEMUs using a whitelist, the default (-1) is off. +# For QEMUs using a blacklist, the default (-1) is on.
Not sure it's even possible to provide any sort of details, but suffice to say the description here is really lacking. One of those things that if you know and care, then you use, if you don't you ignore. Maybe it's just me being dense ;-).
Still if someone supplies 0 or 1 does that now mean the opposite of what it did before 2.11? That is if I had this set to 1 in my qemu.conf - does that mean that now I'm using a blacklist instead of a whitelist?
Yes, setting this to '1' just means "enable use of seccomp". We explicitly never defined what kind of seccomp rules would be enabled - only that something seccomp related is on. Whether its a blacklist or a whitelist is a low level impl detail that we don't expect users to care about.
As an Admin trying to decipher this - what would each setting mean to me and if going with the new -1 default, then that means libvirt is going to set "on" w/ a list of 4 to deny.
Essentially the default (-1) means "do the best thing". On old QEMU the best thing was to disable it because it was horribly unreliable with a whitelist. On modern QEMU the best thing is to enable it because the blacklist is much saner Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|