Re: [libvirt] [PATCHv2 4/4] qemu: deny privilege elevation and spawn in seccomp
On Tue, Apr 10, 2018 at 04:49:42PM +0200, Ján Tomko wrote:
If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
no longer tries to whitelist all the calls, but uses sets
of blacklists:
default (always blacklisted with -sandbox on)
obsolete (defaults to deny)
elevateprivileges (setuid & co, default: allow)
spawn (fork & execve, default: allow)
resourcecontrol (setaffinity, setscheduler, default: allow)
If these are supported, default to sandbox with all four
categories blacklisted.
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu.conf | 7 +++---
src/qemu/qemu_command.c | 10 +++++++++
tests/qemuxml2argvdata/minimal-sandbox.args | 29 ++++++++++++++++++++++++
tests/qemuxml2argvdata/minimal-sandbox.xml | 34 +++++++++++++++++++++++++++++
tests/qemuxml2argvtest.c | 11 ++++++++++
5 files changed, 88 insertions(+), 3 deletions(-)
create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 07eab7eff..740129cf5 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -669,9 +669,10 @@
-# Use seccomp syscall whitelisting in QEMU.
-# 1 = on, 0 = off, -1 = use QEMU default
-# Defaults to -1.
+# Use seccomp syscall sandbox in QEMU.
+# 1 = on, 0 = off, -1 = use the default
+# For QEMUs using a whitelist, the default (-1) is off.
+# For QEMUs using a blacklist, the default (-1) is on.
I'd suggest rewriting this a bit:
# 1 == seccomp enabled, 0 == seccomp disabled
#
# If it is unset (or -1), then seccomp will be enabled
# only if QEMU >= 2.11.0 is detected, otherwise it is
# left disabled. This ensures the default config gets
# protection for new QEMU using the blacklist approach.
#
#seccomp_sandbox = 1
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index ba279e640..fa5906d0b 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9987,6 +9987,16 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd,
return 0;
}
+ /* Use blacklist by default if supported */
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
+ virCommandAddArgList(cmd, "-sandbox",
+ "on,obsolete=deny,elevateprivileges=deny,"
+ "spawn=deny,resourcecontrol=deny",
+ NULL);
+ return 0;
+ }
+
+ /* Seccomp whitelist is opt-in */
if (cfg->seccompSandbox > 0)
virCommandAddArgList(cmd, "-sandbox", "on", NULL);
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|