[libvirt] libseccomp and KVM - Devel - Libvirt List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

December

[libvirt] libseccomp and KVM

[libvirt] [PATCH 0/3] Fix...

[libvirt] [PATCHv2] lxc: give RW...

Raymond Durand

Tuesday, 9 December 2014 Tue, 9 Dec '14

8:24 a.m.

How is libseccomp used/enabled/configured with KVM/QEMU Hypervisor? Does it need a system call profiling per VMs? Regards,

Attachments:

attachment.html (text/html — 404 bytes)

Reply

Show replies by date

Michal Privoznik

Tuesday, 9 December Tue, 9 Dec

10:32 a.m.

On 09.12.2014 15:24, Raymond Durand wrote:

How is libseccomp used/enabled/configured with KVM/QEMU Hypervisor?

You need to set seccomp_sandbox=1 in /etc/libvirt/qemu.conf and restart libvirtd. From now on, any qemu/kvm guest that libvirt starts will use seccomp or fail if qemu binary doesn't support it. Michal

Reply

Raymond Durand

Friday, 12 December Fri, 12 Dec

9:24 a.m.

Thanks. How are the rules managed so as to fit the VM system calls? Is tuning possible? recommended? Regards, 2014-12-09 17:32 GMT+01:00 Michal Privoznik <mprivozn(a)redhat.com>:

On 09.12.2014 15:24, Raymond Durand wrote: > How is libseccomp used/enabled/configured with KVM/QEMU Hypervisor? > You need to set seccomp_sandbox=1 in /etc/libvirt/qemu.conf and restart libvirtd. From now on, any qemu/kvm guest that libvirt starts will use seccomp or fail if qemu binary doesn't support it. Michal

Reply

Daniel P. Berrange

9:32 a.m.

On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:

Thanks. How are the rules managed so as to fit the VM system calls? Is tuning possible? recommended?

QEMU has a built-in policy that adds rules for every conceivable function that QEMU might need to execute. Given that is quite broad, the security benefit from seccomp enablement is quit low IMHO Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Reply

Stefan Berger

10:06 a.m.

On 12/12/2014 10:32 AM, Daniel P. Berrange wrote:

On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: > Thanks. > > How are the rules managed so as to fit the VM system calls? > Is tuning possible? recommended? QEMU has a built-in policy that adds rules for every conceivable function that QEMU might need to execute. Given that is quite broad, the security benefit from seccomp enablement is quit low IMHO

Base code and (active) devices would each have to report what syscalls they need so this list could be reduced to the minimum ... Stefan

Regards, Daniel

Reply

Raymond Durand

11:13 a.m.

Thanks. 2014-12-12 17:06 GMT+01:00 Stefan Berger <stefanb(a)linux.vnet.ibm.com>:

On 12/12/2014 10:32 AM, Daniel P. Berrange wrote: > On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: > >> Thanks. >> >> How are the rules managed so as to fit the VM system calls? >> Is tuning possible? recommended? >> > QEMU has a built-in policy that adds rules for every conceivable > function that QEMU might need to execute. Given that is quite > broad, the security benefit from seccomp enablement is quit low > IMHO > Base code and (active) devices would each have to report what syscalls they need so this list could be reduced to the minimum ...

"Could be reduced": how? do you have in mind by selecting the appropriate active devices at the initialization time?

Stefan Regards, > Daniel > -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Regards,

Reply

Stefan Berger

Sunday, 14 December Sun, 14 Dec

8:01 a.m.

On 12/12/2014 12:13 PM, Raymond Durand wrote:

Thanks. 2014-12-12 17:06 GMT+01:00 Stefan Berger <stefanb(a)linux.vnet.ibm.com <mailto:stefanb@linux.vnet.ibm.com>>: On 12/12/2014 10:32 AM, Daniel P. Berrange wrote: On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: Thanks. How are the rules managed so as to fit the VM system calls? Is tuning possible? recommended? QEMU has a built-in policy that adds rules for every conceivable function that QEMU might need to execute. Given that is quite broad, the security benefit from seccomp enablement is quit low IMHO Base code and (active) devices would each have to report what syscalls they need so this list could be reduced to the minimum ... "Could be reduced": how? do you have in mind by selecting the appropriate active devices at the initialization time?

The difficulty would be to determine which devices require which syscalls beyond what 'base' QEMU needs (= QEMU without devices). So one would have to use QEMU with one device after another and see which new syscalls are required due to a specific device (syscall auditing), then add the array of syscalls to a device's TypeInfo structure and collect them this way. If a device's code was to change, you'd have to do it again. So I think it would be a lot of work all the time. Stefan

Stefan Regards, Daniel -- libvir-list mailing list libvir-list(a)redhat.com <mailto:libvir-list@redhat.com> https://www.redhat.com/mailman/listinfo/libvir-list Regards,

Reply

Raymond Durand

Friday, 12 December Fri, 12 Dec

11:12 a.m.

Thanks. 2014-12-12 16:32 GMT+01:00 Daniel P. Berrange <berrange(a)redhat.com>:

On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: > Thanks. > > How are the rules managed so as to fit the VM system calls? > Is tuning possible? recommended? QEMU has a built-in policy that adds rules for every conceivable function that QEMU might need to execute. Given that is quite broad, the security benefit from seccomp enablement is quit low IMHO

I see. Is it something like each QEMU device enabled comes along with a system-calls list ie. rules allowed? Is this list of rules loaded at each time the QEMU/KVM starts?

Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Regards,

Reply

Daniel P. Berrange

11:24 a.m.

On Fri, Dec 12, 2014 at 06:12:40PM +0100, Raymond Durand wrote:

Thanks. 2014-12-12 16:32 GMT+01:00 Daniel P. Berrange <berrange(a)redhat.com>: > > On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: > > Thanks. > > > > How are the rules managed so as to fit the VM system calls? > > Is tuning possible? recommended? > > QEMU has a built-in policy that adds rules for every conceivable > function that QEMU might need to execute. Given that is quite > broad, the security benefit from seccomp enablement is quit low > IMHO > > I see. Is it something like each QEMU device enabled comes along with a system-calls list ie. rules allowed? Is this list of rules loaded at each time the QEMU/KVM starts?

No, the list of rules was jsut figured out by trial & error, launching QEMU with more rules until it stopped crashing with all tested configs. No one has tried to figure out fine grained rules as it is an enourmous task Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Reply

3632

days inactive

3637

days old

devel@lists.libvirt.org

Manage subscription

8 comments

4 participants

tags (0)

participants (4)

Daniel P. Berrange
Michal Privoznik
Raymond Durand
Stefan Berger