From nobody Sat May 18 23:55:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1489491329380447.63310552941016; Tue, 14 Mar 2017 04:35:29 -0700 (PDT) Received: from localhost ([::1]:57871 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkjd-0002GO-R5 for importer@patchew.org; Tue, 14 Mar 2017 07:35:25 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52943) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkgZ-0000i4-8F for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnkgW-00083U-Sr for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:15 -0400 Received: from mail-wm0-x22d.google.com ([2a00:1450:400c:c09::22d]:38079) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cnkgW-00081S-JH for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:12 -0400 Received: by mail-wm0-x22d.google.com with SMTP id t189so61366180wmt.1 for ; Tue, 14 Mar 2017 04:32:12 -0700 (PDT) Received: from vader.pb.local ([62.217.45.26]) by smtp.gmail.com with ESMTPSA id n59sm28846267wrb.54.2017.03.14.04.32.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Mar 2017 04:32:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=profitbricks-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=LNTLstzOcuf5Mtu9fm9iG6HzE5Ou8AgdhcqHzLvRep4=; b=hnIfrVhRt8LVNuMuiSRooBxAzA7x3cmL0LZZU9yqqIlTSfAKlT3HCBsAaZoO10YmVc BQF1nyszIwGhF4GISrlfOxsEtOhkIghMzRnnlHkt/bdag04bgD+zlsmrJHPgOk0h7rCv gz9bxsFN9YCiy1fkfskc3XkZulYHMC6DC1YRHktRn9oXEQX77G5ZXY65fCmtnlT3Dbf0 DPoBQG3IWdcL/Z3rjW70c2ZfYmfbRQ84svnoUe2jP12jiqVSyF7DJ//muBQyXD7Mz/3M zxm0zaVOoinRPFjdJSUwRpIrAVuiX1STqTcWfZ9f+AJJA0CC+awq+icCkr7pZgTHpMp9 PCCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=LNTLstzOcuf5Mtu9fm9iG6HzE5Ou8AgdhcqHzLvRep4=; b=MwZ3c6oSVn5GZPcQuF4cssEBbXs4IO78a+0goU9BrNDYj4SbYhY6NjxaDXBOKlFT0o SXVtd5DKB90mNYIYLXGQ0GsK3YEVDCNDQwXZJ9RyByR5wSP0hTRkR4bkiW4Coap22Qci DBHtpvjcCrIJDbeAIYy+lpLp0NVy0BHVrW3W68Ilfbh6YC9ks5s1tidoVplAS24PEFvX NPU9qcm20Y91M/PFjhk1E8cTadsR6E6Y1zgPcQ7PNzXQ3xgU4UrVMxgP9vIl0j0zwCU0 wOfXzklzM5VAuuNoZAyx9xszS6+R0iOL9TI2B7wl2cNYPzrP9irlByPe9iA8DJejj2c7 6Ibw== X-Gm-Message-State: AFeK/H2SAab5EvZRWMEF9WgxeIGK+8QuGX9580a5TbvmkXWxlcBs6cjWBrvtSDmRiUSk+uF0 X-Received: by 10.28.133.203 with SMTP id h194mr13989549wmd.122.1489491131421; Tue, 14 Mar 2017 04:32:11 -0700 (PDT) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Tue, 14 Mar 2017 12:32:05 +0100 Message-Id: <20170314113209.12025-2-eduardo.otubo@profitbricks.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> References: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c09::22d Subject: [Qemu-devel] [PATCH 1/5] seccomp: changing from whitelist to blacklist X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: thuth@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch changes the default behavior of the seccomp filter from whitelist to blacklist. By default now all system calls are allowed and a small black list of definitely forbidden ones was created. Signed-off-by: Eduardo Otubo --- qemu-seccomp.c | 256 +++++++----------------------------------------------= ---- 1 file changed, 28 insertions(+), 228 deletions(-) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index df75d9c471..f8877b07b5 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,229 +31,29 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 -static const struct QemuSeccompSyscall seccomp_whitelist[] =3D { - { SCMP_SYS(timer_settime), 255 }, - { SCMP_SYS(timer_gettime), 254 }, - { SCMP_SYS(futex), 253 }, - { SCMP_SYS(select), 252 }, - { SCMP_SYS(recvfrom), 251 }, - { SCMP_SYS(sendto), 250 }, - { SCMP_SYS(socketcall), 250 }, - { SCMP_SYS(read), 249 }, - { SCMP_SYS(io_submit), 249 }, - { SCMP_SYS(brk), 248 }, - { SCMP_SYS(clone), 247 }, - { SCMP_SYS(mmap), 247 }, - { SCMP_SYS(mprotect), 246 }, - { SCMP_SYS(execve), 245 }, - { SCMP_SYS(open), 245 }, - { SCMP_SYS(ioctl), 245 }, - { SCMP_SYS(socket), 245 }, - { SCMP_SYS(setsockopt), 245 }, - { SCMP_SYS(recvmsg), 245 }, - { SCMP_SYS(sendmsg), 245 }, - { SCMP_SYS(accept), 245 }, - { SCMP_SYS(connect), 245 }, - { SCMP_SYS(socketpair), 245 }, - { SCMP_SYS(bind), 245 }, - { SCMP_SYS(listen), 245 }, - { SCMP_SYS(semget), 245 }, - { SCMP_SYS(ipc), 245 }, - { SCMP_SYS(gettimeofday), 245 }, - { SCMP_SYS(readlink), 245 }, - { SCMP_SYS(access), 245 }, - { SCMP_SYS(prctl), 245 }, - { SCMP_SYS(signalfd), 245 }, - { SCMP_SYS(getrlimit), 245 }, - { SCMP_SYS(getrusage), 245 }, - { SCMP_SYS(set_tid_address), 245 }, - { SCMP_SYS(statfs), 245 }, - { SCMP_SYS(unlink), 245 }, - { SCMP_SYS(wait4), 245 }, - { SCMP_SYS(fcntl64), 245 }, - { SCMP_SYS(fstat64), 245 }, - { SCMP_SYS(stat64), 245 }, - { SCMP_SYS(getgid32), 245 }, - { SCMP_SYS(getegid32), 245 }, - { SCMP_SYS(getuid32), 245 }, - { SCMP_SYS(geteuid32), 245 }, - { SCMP_SYS(sigreturn), 245 }, - { SCMP_SYS(_newselect), 245 }, - { SCMP_SYS(_llseek), 245 }, - { SCMP_SYS(mmap2), 245 }, - { SCMP_SYS(sigprocmask), 245 }, - { SCMP_SYS(sched_getparam), 245 }, - { SCMP_SYS(sched_getscheduler), 245 }, - { SCMP_SYS(fstat), 245 }, - { SCMP_SYS(clock_getres), 245 }, - { SCMP_SYS(sched_get_priority_min), 245 }, - { SCMP_SYS(sched_get_priority_max), 245 }, - { SCMP_SYS(stat), 245 }, - { SCMP_SYS(uname), 245 }, - { SCMP_SYS(eventfd2), 245 }, - { SCMP_SYS(io_getevents), 245 }, - { SCMP_SYS(dup), 245 }, - { SCMP_SYS(dup2), 245 }, - { SCMP_SYS(dup3), 245 }, - { SCMP_SYS(gettid), 245 }, - { SCMP_SYS(getgid), 245 }, - { SCMP_SYS(getegid), 245 }, - { SCMP_SYS(getuid), 245 }, - { SCMP_SYS(geteuid), 245 }, - { SCMP_SYS(timer_create), 245 }, - { SCMP_SYS(times), 245 }, - { SCMP_SYS(exit), 245 }, - { SCMP_SYS(clock_gettime), 245 }, - { SCMP_SYS(time), 245 }, - { SCMP_SYS(restart_syscall), 245 }, - { SCMP_SYS(pwrite64), 245 }, - { SCMP_SYS(nanosleep), 245 }, - { SCMP_SYS(chown), 245 }, - { SCMP_SYS(openat), 245 }, - { SCMP_SYS(getdents), 245 }, - { SCMP_SYS(timer_delete), 245 }, - { SCMP_SYS(exit_group), 245 }, - { SCMP_SYS(rt_sigreturn), 245 }, - { SCMP_SYS(sync), 245 }, - { SCMP_SYS(pread64), 245 }, - { SCMP_SYS(madvise), 245 }, - { SCMP_SYS(set_robust_list), 245 }, - { SCMP_SYS(lseek), 245 }, - { SCMP_SYS(pselect6), 245 }, - { SCMP_SYS(fork), 245 }, - { SCMP_SYS(rt_sigprocmask), 245 }, - { SCMP_SYS(write), 244 }, - { SCMP_SYS(fcntl), 243 }, - { SCMP_SYS(tgkill), 242 }, - { SCMP_SYS(kill), 242 }, - { SCMP_SYS(rt_sigaction), 242 }, - { SCMP_SYS(pipe2), 242 }, - { SCMP_SYS(munmap), 242 }, - { SCMP_SYS(mremap), 242 }, - { SCMP_SYS(fdatasync), 242 }, - { SCMP_SYS(close), 242 }, - { SCMP_SYS(rt_sigpending), 242 }, - { SCMP_SYS(rt_sigtimedwait), 242 }, - { SCMP_SYS(readv), 242 }, - { SCMP_SYS(writev), 242 }, - { SCMP_SYS(preadv), 242 }, - { SCMP_SYS(pwritev), 242 }, - { SCMP_SYS(setrlimit), 242 }, - { SCMP_SYS(ftruncate), 242 }, - { SCMP_SYS(lstat), 242 }, - { SCMP_SYS(pipe), 242 }, - { SCMP_SYS(umask), 242 }, - { SCMP_SYS(chdir), 242 }, - { SCMP_SYS(setitimer), 242 }, - { SCMP_SYS(setsid), 242 }, - { SCMP_SYS(poll), 242 }, - { SCMP_SYS(epoll_create), 242 }, - { SCMP_SYS(epoll_ctl), 242 }, - { SCMP_SYS(epoll_wait), 242 }, - { SCMP_SYS(waitpid), 242 }, - { SCMP_SYS(getsockname), 242 }, - { SCMP_SYS(getpeername), 242 }, - { SCMP_SYS(accept4), 242 }, - { SCMP_SYS(timerfd_settime), 242 }, - { SCMP_SYS(newfstatat), 241 }, - { SCMP_SYS(shutdown), 241 }, - { SCMP_SYS(getsockopt), 241 }, - { SCMP_SYS(semop), 241 }, - { SCMP_SYS(semtimedop), 241 }, - { SCMP_SYS(epoll_ctl_old), 241 }, - { SCMP_SYS(epoll_wait_old), 241 }, - { SCMP_SYS(epoll_pwait), 241 }, - { SCMP_SYS(epoll_create1), 241 }, - { SCMP_SYS(ppoll), 241 }, - { SCMP_SYS(creat), 241 }, - { SCMP_SYS(link), 241 }, - { SCMP_SYS(getpid), 241 }, - { SCMP_SYS(getppid), 241 }, - { SCMP_SYS(getpgrp), 241 }, - { SCMP_SYS(getpgid), 241 }, - { SCMP_SYS(getsid), 241 }, - { SCMP_SYS(getdents64), 241 }, - { SCMP_SYS(getresuid), 241 }, - { SCMP_SYS(getresgid), 241 }, - { SCMP_SYS(getgroups), 241 }, - { SCMP_SYS(getresuid32), 241 }, - { SCMP_SYS(getresgid32), 241 }, - { SCMP_SYS(getgroups32), 241 }, - { SCMP_SYS(signal), 241 }, - { SCMP_SYS(sigaction), 241 }, - { SCMP_SYS(sigsuspend), 241 }, - { SCMP_SYS(sigpending), 241 }, - { SCMP_SYS(truncate64), 241 }, - { SCMP_SYS(ftruncate64), 241 }, - { SCMP_SYS(fchown32), 241 }, - { SCMP_SYS(chown32), 241 }, - { SCMP_SYS(lchown32), 241 }, - { SCMP_SYS(statfs64), 241 }, - { SCMP_SYS(fstatfs64), 241 }, - { SCMP_SYS(fstatat64), 241 }, - { SCMP_SYS(lstat64), 241 }, - { SCMP_SYS(sendfile64), 241 }, - { SCMP_SYS(ugetrlimit), 241 }, - { SCMP_SYS(alarm), 241 }, - { SCMP_SYS(rt_sigsuspend), 241 }, - { SCMP_SYS(rt_sigqueueinfo), 241 }, - { SCMP_SYS(rt_tgsigqueueinfo), 241 }, - { SCMP_SYS(sigaltstack), 241 }, - { SCMP_SYS(signalfd4), 241 }, - { SCMP_SYS(truncate), 241 }, - { SCMP_SYS(fchown), 241 }, - { SCMP_SYS(lchown), 241 }, - { SCMP_SYS(fchownat), 241 }, - { SCMP_SYS(fstatfs), 241 }, - { SCMP_SYS(getitimer), 241 }, - { SCMP_SYS(syncfs), 241 }, - { SCMP_SYS(fsync), 241 }, - { SCMP_SYS(fchdir), 241 }, - { SCMP_SYS(msync), 241 }, - { SCMP_SYS(sched_setparam), 241 }, - { SCMP_SYS(sched_setscheduler), 241 }, - { SCMP_SYS(sched_yield), 241 }, - { SCMP_SYS(sched_rr_get_interval), 241 }, - { SCMP_SYS(sched_setaffinity), 241 }, - { SCMP_SYS(sched_getaffinity), 241 }, - { SCMP_SYS(readahead), 241 }, - { SCMP_SYS(timer_getoverrun), 241 }, - { SCMP_SYS(unlinkat), 241 }, - { SCMP_SYS(readlinkat), 241 }, - { SCMP_SYS(faccessat), 241 }, - { SCMP_SYS(get_robust_list), 241 }, - { SCMP_SYS(splice), 241 }, - { SCMP_SYS(vmsplice), 241 }, - { SCMP_SYS(getcpu), 241 }, - { SCMP_SYS(sendmmsg), 241 }, - { SCMP_SYS(recvmmsg), 241 }, - { SCMP_SYS(prlimit64), 241 }, - { SCMP_SYS(waitid), 241 }, - { SCMP_SYS(io_cancel), 241 }, - { SCMP_SYS(io_setup), 241 }, - { SCMP_SYS(io_destroy), 241 }, - { SCMP_SYS(arch_prctl), 240 }, - { SCMP_SYS(mkdir), 240 }, - { SCMP_SYS(fchmod), 240 }, - { SCMP_SYS(shmget), 240 }, - { SCMP_SYS(shmat), 240 }, - { SCMP_SYS(shmdt), 240 }, - { SCMP_SYS(timerfd_create), 240 }, - { SCMP_SYS(shmctl), 240 }, - { SCMP_SYS(mlockall), 240 }, - { SCMP_SYS(mlock), 240 }, - { SCMP_SYS(munlock), 240 }, - { SCMP_SYS(semctl), 240 }, - { SCMP_SYS(fallocate), 240 }, - { SCMP_SYS(fadvise64), 240 }, - { SCMP_SYS(inotify_init1), 240 }, - { SCMP_SYS(inotify_add_watch), 240 }, - { SCMP_SYS(mbind), 240 }, - { SCMP_SYS(memfd_create), 240 }, -#ifdef HAVE_CACHEFLUSH - { SCMP_SYS(cacheflush), 240 }, -#endif - { SCMP_SYS(sysinfo), 240 }, +static const struct QemuSeccompSyscall blacklist[] =3D { + { SCMP_SYS(reboot), 255 }, + { SCMP_SYS(swapon), 255 }, + { SCMP_SYS(swapoff), 255 }, + { SCMP_SYS(syslog), 255 }, + { SCMP_SYS(mount), 255 }, + { SCMP_SYS(umount), 255 }, + { SCMP_SYS(kexec_load), 255 }, + { SCMP_SYS(afs_syscall), 255 }, + { SCMP_SYS(break), 255 }, + { SCMP_SYS(ftime), 255 }, + { SCMP_SYS(getpmsg), 255 }, + { SCMP_SYS(gtty), 255 }, + { SCMP_SYS(lock), 255 }, + { SCMP_SYS(mpx), 255 }, + { SCMP_SYS(prof), 255 }, + { SCMP_SYS(profil), 255 }, + { SCMP_SYS(putpmsg), 255 }, + { SCMP_SYS(security), 255 }, + { SCMP_SYS(stty), 255 }, + { SCMP_SYS(tuxcall), 255 }, + { SCMP_SYS(ulimit), 255 }, + { SCMP_SYS(vserver), 255 }, }; =20 int seccomp_start(void) @@ -262,19 +62,19 @@ int seccomp_start(void) unsigned int i =3D 0; scmp_filter_ctx ctx; =20 - ctx =3D seccomp_init(SCMP_ACT_KILL); + ctx =3D seccomp_init(SCMP_ACT_ALLOW); if (ctx =3D=3D NULL) { rc =3D -1; goto seccomp_return; } =20 - for (i =3D 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { - rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].= num, 0); + for (i =3D 0; i < ARRAY_SIZE(blacklist); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; } - rc =3D seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, - seccomp_whitelist[i].priority); + rc =3D seccomp_syscall_priority(ctx, blacklist[i].num, + blacklist[i].priority); if (rc < 0) { goto seccomp_return; } --=20 2.11.0 From nobody Sat May 18 23:55:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1489491202586119.89146414686127; Tue, 14 Mar 2017 04:33:22 -0700 (PDT) Received: from localhost ([::1]:57864 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkhb-0000iw-Ba for importer@patchew.org; Tue, 14 Mar 2017 07:33:19 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52941) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkgZ-0000i3-8C for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnkgX-00084A-QM for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:15 -0400 Received: from mail-wm0-x232.google.com ([2a00:1450:400c:c09::232]:35058) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cnkgX-00083M-GM for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:13 -0400 Received: by mail-wm0-x232.google.com with SMTP id v186so61502170wmd.0 for ; Tue, 14 Mar 2017 04:32:13 -0700 (PDT) Received: from vader.pb.local ([62.217.45.26]) by smtp.gmail.com with ESMTPSA id n59sm28846267wrb.54.2017.03.14.04.32.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Mar 2017 04:32:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=profitbricks-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=L7hUzYQ2hTa72j92Urq3Exs0E+GxWHj60fa1q29TXus=; b=T+IP5BF5vnWOmt7DiXpnlJZhT25NWRcJ0ZvfsuAysloafV+dTIk94WM+uiHM68qJpD OKb3ho0XOmK24w4dwWGtSjDShoGdUxhSJqmGYE8xviUlAuNFdLGJqMU3Hj/M0vAzUUv/ AN3sRtRkGBXo98M9gWZRt1Y/0GsGcG+ri9TpILjHrXCHwwRSILSb/5K/25++ZqF3L+5D 6/8M3nOv1bX30rJf47rZH+G+Be9Dn/mCVQGm8yqYOpfXlcV88o7xOl84ngWAeq/1ccwV lkvMwEnCEJMF7aijWR8fNiPoZ86twDxJklAZG+fg9U/74N9ThUqfmOjgxWZQ+fGbmq0J HBQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=L7hUzYQ2hTa72j92Urq3Exs0E+GxWHj60fa1q29TXus=; b=hlMvDYZFSVGhKQvACgUYQyVWgklYSCK5DQJA20sZBlgpEblGZ/2kBxaIwkG0Vomih3 sbl4q+fdOWPs1KcECA+HFmK3dsHN3Gfq41bp8TsWsSGghI99GkpuzNsbfr0Rm2YWQit9 y08tNMVIAeiV+h5MiWsnOaJzLdtw9cFoESGGNWNbAXqJXv1K4uTm+EhdnMTAtFPoRxdu dwOEDjZ3nhsVPzzN2jQoC4kGYx4jxBy8Xfv8yz7pdv//enVzKvHw2fo/8G92FXadRg4U lQNio4cgqyd9MF7ZzoRLuKyNbH3hXrnLxxBEX2KtitR5ZoruPI4JyL7+zOw6+yTXFmt3 P5Mw== X-Gm-Message-State: AFeK/H1FxCULiW7dvi5Xev27+dOkMeqyvjVffZtKmPlq93QeeMsciNfLWmdIPXiwvyaQrDEV X-Received: by 10.28.146.12 with SMTP id u12mr14297380wmd.113.1489491132152; Tue, 14 Mar 2017 04:32:12 -0700 (PDT) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Tue, 14 Mar 2017 12:32:06 +0100 Message-Id: <20170314113209.12025-3-eduardo.otubo@profitbricks.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> References: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c09::232 Subject: [Qemu-devel] [PATCH 2/5] seccomp: add obsolete argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: thuth@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch introduces the argument [,obsolete=3Dallow] to the `-sandbox on' option. It allows Qemu to run safely on old system that still relies on old system calls. Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 4 +++- qemu-options.hx | 9 +++++++-- qemu-seccomp.c | 47 ++++++++++++++++++++++++++++++++++++++++++++= ++- vl.c | 16 +++++++++++++++- 4 files changed, 71 insertions(+), 5 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index cfc06008cb..7a7bde246b 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -15,7 +15,9 @@ #ifndef QEMU_SECCOMP_H #define QEMU_SECCOMP_H =20 +#define OBSOLETE 0x0001 + #include =20 -int seccomp_start(void); +int seccomp_start(uint8_t seccomp_opts); #endif diff --git a/qemu-options.hx b/qemu-options.hx index 8dd8ee34a6..1403d0c85f 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3732,13 +3732,18 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox Enable seccomp mode 2 system call filter (default 'of= f').\n", + "-sandbox on[,obsolete=3Dallow] Enable seccomp mode 2 system call fil= ter (default 'off').\n" \ + " obsolete: Allow obsolete system calls", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg} +@item -sandbox @var{arg}[,obsolete=3D@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filteri= ng and 'off' will disable it. The default is 'off'. +@table @option +@item obsolete=3D@var{string} +Enable Obsolete system calls +@end table ETEXI =20 DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig, diff --git a/qemu-seccomp.c b/qemu-seccomp.c index f8877b07b5..5ef36890da 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,35 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall obsolete[] =3D { + { SCMP_SYS(readdir), 255 }, + { SCMP_SYS(_sysctl), 255 }, + { SCMP_SYS(afs_syscall), 255 }, + { SCMP_SYS(bdflush), 255 }, + { SCMP_SYS(break), 255 }, + { SCMP_SYS(create_module), 255 }, + { SCMP_SYS(ftime), 255 }, + { SCMP_SYS(get_kernel_syms), 255 }, + { SCMP_SYS(getpmsg), 255 }, + { SCMP_SYS(gtty), 255 }, + { SCMP_SYS(lock), 255 }, + { SCMP_SYS(mpx), 255 }, + { SCMP_SYS(prof), 255 }, + { SCMP_SYS(profil), 255 }, + { SCMP_SYS(putpmsg), 255 }, + { SCMP_SYS(query_module), 255 }, + { SCMP_SYS(security), 255 }, + { SCMP_SYS(sgetmask), 255 }, + { SCMP_SYS(ssetmask), 255 }, + { SCMP_SYS(stty), 255 }, + { SCMP_SYS(sysfs), 255 }, + { SCMP_SYS(tuxcall), 255 }, + { SCMP_SYS(ulimit), 255 }, + { SCMP_SYS(uselib), 255 }, + { SCMP_SYS(ustat), 255 }, + { SCMP_SYS(vserver), 255 }, +}; + static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(reboot), 255 }, { SCMP_SYS(swapon), 255 }, @@ -56,7 +85,20 @@ static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(vserver), 255 }, }; =20 -int seccomp_start(void) +static int is_obsolete(int syscall) +{ + unsigned int i =3D 0; + + for (i =3D 0; i < ARRAY_SIZE(obsolete); i++) { + if (syscall =3D=3D obsolete[i].num) { + return 1; + } + } + + return 0; +} + +int seccomp_start(uint8_t seccomp_opts) { int rc =3D 0; unsigned int i =3D 0; @@ -69,6 +111,9 @@ int seccomp_start(void) } =20 for (i =3D 0; i < ARRAY_SIZE(blacklist); i++) { + if ((seccomp_opts & OBSOLETE) && is_obsolete(blacklist[i].num)) { + continue; + } rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; diff --git a/vl.c b/vl.c index 1a95500ac7..7b08b3383b 100644 --- a/vl.c +++ b/vl.c @@ -269,6 +269,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "enable", .type =3D QEMU_OPT_BOOL, }, + { + .name =3D "obsolete", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1031,7 +1035,17 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) /* FIXME: change this to true for 1.3 */ if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP - if (seccomp_start() < 0) { + uint8_t seccomp_opts =3D 0x0000; + const char * value =3D NULL; + + value =3D qemu_opt_get(opts,"obsolete"); + if (value) { + if (strcmp(value, "allow") =3D=3D 0) { + seccomp_opts |=3D OBSOLETE; + } + } + + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); return -1; --=20 2.11.0 From nobody Sat May 18 23:55:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1489491451324633.9362444250671; Tue, 14 Mar 2017 04:37:31 -0700 (PDT) Received: from localhost ([::1]:57885 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnklZ-0003qE-3g for importer@patchew.org; Tue, 14 Mar 2017 07:37:25 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52952) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkgZ-0000i8-Ni for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnkgY-00084n-H3 for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:15 -0400 Received: from mail-wr0-x233.google.com ([2a00:1450:400c:c0c::233]:33465) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cnkgY-00083z-AP for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:14 -0400 Received: by mail-wr0-x233.google.com with SMTP id u48so122058950wrc.0 for ; Tue, 14 Mar 2017 04:32:14 -0700 (PDT) Received: from vader.pb.local ([62.217.45.26]) by smtp.gmail.com with ESMTPSA id n59sm28846267wrb.54.2017.03.14.04.32.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Mar 2017 04:32:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=profitbricks-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=48XFLoYcziJSgzdYGvPV5rX8e9eeGAL/ex4J0etO+Tk=; b=Imv2ENXNFcJ0VO9GwhvnWlvb/YzR8tCj2ilwkl8s2zlBP0Bt0M7/WN2r25fu5MKW0S 0b9Q+uVcnWup+0wzK0Ci9uorR4rUT9ltu+ci441D1DoIF36a02ZEV4UxsiWp4rHbPC1e cgG0vZXHsKQp9TWrZ+huBp6rbmoOmoyLRB92lpNmUj1cA2gdXIx021RkERcGQw5duMvA iRdYKeZA2zrNFrGl+o/K3CsHiGDXLydy/e+R6g0ucu/OMaod7hSwUarsCqQ3j8KfQ464 XLqUCNJnoe3ujwRjVJ/2Yc5OuNjPiqn54zvfCjRZCsiB2c7c+s+OOFqTQXfQTN0Zen0j gUFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=48XFLoYcziJSgzdYGvPV5rX8e9eeGAL/ex4J0etO+Tk=; b=H6aX0vIpLsex2SJ1G2U1gQJyifmvnzB/oisrsHtla6Zu7U2LFrKtUyuYQIqJKHcDtr BH5GATy4DiNzY7vYgmGx1SjHxrPIsqI6g/AxfBgUKoGPfwbRjDi4qzejhWCHfvhdEwHk kN4wO5SEwezHMtbN2akjSvmDQmiyu+8mhHkm9BC9KEAcX41conxXdUQ0taX6b5TJ+XmT qG+c6EVMYtxgwjFc6niByF2+gsNnoxkIsO86W/zFfNXBQS6i1ZrqPcMPWTN3B1eeZoG0 L3+URpRyH9d9fVZ+C92v4TlHrlnHOZ2LgU0DqhNuVheVddrJHStEy0uK/rkJQeifSGP3 mRug== X-Gm-Message-State: AMke39klcMhz5VIsoMfoH+Cp1FLwH8R7g2ZyPDZUShyOfW0PIWUIJ2thUWeBCbIVnDQti9wo X-Received: by 10.223.139.196 with SMTP id w4mr33637688wra.172.1489491133065; Tue, 14 Mar 2017 04:32:13 -0700 (PDT) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Tue, 14 Mar 2017 12:32:07 +0100 Message-Id: <20170314113209.12025-4-eduardo.otubo@profitbricks.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> References: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c0c::233 Subject: [Qemu-devel] [PATCH 3/5] seccomp: add elevateprivileges argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: thuth@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch introduces the new argument [,elevateprivileges=3Ddeny] to the `-sandbox on'. It avoids Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 8 ++++++-- qemu-seccomp.c | 28 ++++++++++++++++++++++++++++ vl.c | 11 +++++++++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 7a7bde246b..e6e78d85ce 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -16,6 +16,7 @@ #define QEMU_SECCOMP_H =20 #define OBSOLETE 0x0001 +#define PRIVILEGED 0x0010 =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 1403d0c85f..47018db5aa 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3732,8 +3732,10 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=3Dallow] Enable seccomp mode 2 system call fil= ter (default 'off').\n" \ - " obsolete: Allow obsolete system calls", + "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Ddeny]\n" \ + " Enable seccomp mode 2 system call filt= er (default 'off').\n" \ + " obsolete: Allow obsolete system calls\= n" \ + " elevateprivileges: avoids Qemu process= to elevate its privileges by blacklisting all set*uid|gid system calls", QEMU_ARCH_ALL) STEXI @item -sandbox @var{arg}[,obsolete=3D@var{string}] @@ -3743,6 +3745,8 @@ disable it. The default is 'off'. @table @option @item obsolete=3D@var{string} Enable Obsolete system calls +@item elevateprivileges=3D@var{string} +Disable set*uid|gid systema calls @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 5ef36890da..5aa6590386 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,19 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall privileged_syscalls[] =3D { + { SCMP_SYS(setuid), 255 }, + { SCMP_SYS(setgid), 255 }, + { SCMP_SYS(setpgid), 255 }, + { SCMP_SYS(setsid), 255 }, + { SCMP_SYS(setreuid), 255 }, + { SCMP_SYS(setregid), 255 }, + { SCMP_SYS(setresuid), 255 }, + { SCMP_SYS(setresgid), 255 }, + { SCMP_SYS(setfsuid), 255 }, + { SCMP_SYS(setfsgid), 255 }, +}; + static const struct QemuSeccompSyscall obsolete[] =3D { { SCMP_SYS(readdir), 255 }, { SCMP_SYS(_sysctl), 255 }, @@ -125,6 +138,21 @@ int seccomp_start(uint8_t seccomp_opts) } } =20 + if (seccomp_opts & PRIVILEGED) { + for (i =3D 0; i < ARRAY_SIZE(privileged_syscalls); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, privileged_syscall= s[i].num, 0); + if (rc < 0) { + goto seccomp_return; + } + rc =3D seccomp_syscall_priority(ctx, privileged_syscalls[i].nu= m, + privileged_syscalls[i].priority); + if (rc < 0) { + goto seccomp_return; + } + } + } + + rc =3D seccomp_load(ctx); =20 seccomp_return: diff --git a/vl.c b/vl.c index 7b08b3383b..d071e240b0 100644 --- a/vl.c +++ b/vl.c @@ -273,6 +273,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "obsolete", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "elevateprivileges", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1045,6 +1049,13 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts,"elevateprivileges"); + if (value) { + if (strcmp(value, "deny") =3D=3D 0) { + seccomp_opts |=3D PRIVILEGED; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.11.0 From nobody Sat May 18 23:55:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1489491451601528.9698105285423; Tue, 14 Mar 2017 04:37:31 -0700 (PDT) Received: from localhost ([::1]:57884 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnklY-0003pw-Df for importer@patchew.org; Tue, 14 Mar 2017 07:37:24 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52980) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkga-0000iA-A7 for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnkgZ-00086u-6z for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:16 -0400 Received: from mail-wm0-x235.google.com ([2a00:1450:400c:c09::235]:38094) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cnkgZ-00084b-14 for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:15 -0400 Received: by mail-wm0-x235.google.com with SMTP id t189so61367152wmt.1 for ; Tue, 14 Mar 2017 04:32:14 -0700 (PDT) Received: from vader.pb.local ([62.217.45.26]) by smtp.gmail.com with ESMTPSA id n59sm28846267wrb.54.2017.03.14.04.32.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Mar 2017 04:32:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=profitbricks-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=zINAoOCMlRWlSH3umIOqvQQYBkSGnOhPziJDjYMRpxU=; b=mfmr1dkCTresgiGkUKnT/B6Sy/izBsbxj1uNw0vAgs9ei/4/FmqklhmJOZLP1BBZcv D29A1LN3d6QlI/2lwh6P49v+lrzSHWRS0McyqTQpk+GB/+YXhB2+NTchKr2wztU8D+P3 k+yGsBrnrxQxyPMDDiQZDr63z926soKxUQixGFetoTbDuzpbRkp3vinGV5Fvg3s9tR/u FBp9THRbPdh8RaImVNRE0t8AXIw9/7gnIG5n7HM2Ki2dYAvaDYAslr2p4utohK6FYwhi E1octkYLgHdIazEJUPSCy/FEEDPMDVdyPBIB3HnCH78TRGJI0XtOBXvTybQDy4MMq3wu bR9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=zINAoOCMlRWlSH3umIOqvQQYBkSGnOhPziJDjYMRpxU=; b=Qqbz+7XsXJxWmavmTkUBE+Lueg1HWsbqItPPUPfbIdip6DOg8b81HIZxKfd8XoU32g Xuyi4W45p6+BoIffP56/z/Ju2NqViKiBWAnB5scERwxHtoRlDgiPKMfTRPSEn9wm4H2x o++2RKdAz3vebG57+HmojRxQPWfkjGRwq1kbVp594PVJUKFlEEQIrloPNka9DfVZhUiH Fw874cTMccgVkoMWDUZfVkd8SyZDho7fi44o7gVojNDLYNsVKSTGS1qsiz8FQuR1JRX9 lRiLacs93lwjCKBMp80jCYKqwEhr0NKi9fa/w7op+slXTOqJqmJE8918qhgvsGY8nf1g viRg== X-Gm-Message-State: AFeK/H02ClWEr3qtQsfQMAK7QhUqqGymSMjkdCShhpFPHUk7uRbjMUBVPmkZYLf7tsvN4bfP X-Received: by 10.28.50.6 with SMTP id y6mr14298075wmy.112.1489491133925; Tue, 14 Mar 2017 04:32:13 -0700 (PDT) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Tue, 14 Mar 2017 12:32:08 +0100 Message-Id: <20170314113209.12025-5-eduardo.otubo@profitbricks.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> References: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c09::235 Subject: [Qemu-devel] [PATCH 4/5] seccomp: add spawn argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: thuth@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds [,spawn=3Ddeny] argument to `-sandbox on' option. It blacklists fork and execve syste calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 7 +++++-- qemu-seccomp.c | 18 ++++++++++++++++++ vl.c | 11 +++++++++++ 4 files changed, 35 insertions(+), 2 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index e6e78d85ce..f1614d6514 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -17,6 +17,7 @@ =20 #define OBSOLETE 0x0001 #define PRIVILEGED 0x0010 +#define SPAWN 0x0100 =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 47018db5aa..53f4f8cfd2 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3732,10 +3732,11 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Ddeny]\n" \ + "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Ddeny][,spawn=3Dde= ny]" \ " Enable seccomp mode 2 system call filt= er (default 'off').\n" \ " obsolete: Allow obsolete system calls\= n" \ - " elevateprivileges: avoids Qemu process= to elevate its privileges by blacklisting all set*uid|gid system calls", + " elevateprivileges: avoids Qemu process= to elevate its privileges by blacklisting all set*uid|gid system calls\n" \ + " spawn: avoids Qemu to spawn new thread= s or processes by blacklisting *fork and execve\n" QEMU_ARCH_ALL) STEXI @item -sandbox @var{arg}[,obsolete=3D@var{string}] @@ -3747,6 +3748,8 @@ disable it. The default is 'off'. Enable Obsolete system calls @item elevateprivileges=3D@var{string} Disable set*uid|gid systema calls +@item spawn=3D@var{string} +Disable *fork and execve @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 5aa6590386..4c1f7b41ba 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,12 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall spawn_syscalls[] =3D { + { SCMP_SYS(fork), 255 }, + { SCMP_SYS(vfork), 255 }, + { SCMP_SYS(execve), 255 }, +}; + static const struct QemuSeccompSyscall privileged_syscalls[] =3D { { SCMP_SYS(setuid), 255 }, { SCMP_SYS(setgid), 255 }, @@ -152,6 +158,18 @@ int seccomp_start(uint8_t seccomp_opts) } } =20 + if (seccomp_opts & SPAWN) { + for (i =3D 0; i < ARRAY_SIZE(spawn_syscalls); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, spawn_syscalls[i].= num, 0); + if (rc < 0) { + goto seccomp_return; + } + rc =3D seccomp_syscall_priority(ctx, spawn_syscalls[i].num, sp= awn_syscalls[i].priority); + if (rc < 0) { + goto seccomp_return; + } + } + } =20 rc =3D seccomp_load(ctx); =20 diff --git a/vl.c b/vl.c index d071e240b0..6a6e9a69bf 100644 --- a/vl.c +++ b/vl.c @@ -277,6 +277,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "elevateprivileges", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "spawn", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1056,6 +1060,13 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts,"spawn"); + if (value) { + if (strcmp(value, "deny") =3D=3D 0) { + seccomp_opts |=3D SPAWN; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.11.0 From nobody Sat May 18 23:55:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1489491329101476.9439727477877; Tue, 14 Mar 2017 04:35:29 -0700 (PDT) Received: from localhost ([::1]:57872 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkje-0002Gs-3h for importer@patchew.org; Tue, 14 Mar 2017 07:35:26 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53019) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnkgb-0000iU-Gf for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnkga-00088N-2F for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:17 -0400 Received: from mail-wm0-x22f.google.com ([2a00:1450:400c:c09::22f]:37822) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cnkgZ-000873-SM for qemu-devel@nongnu.org; Tue, 14 Mar 2017 07:32:15 -0400 Received: by mail-wm0-x22f.google.com with SMTP id n11so61327877wma.0 for ; Tue, 14 Mar 2017 04:32:15 -0700 (PDT) Received: from vader.pb.local ([62.217.45.26]) by smtp.gmail.com with ESMTPSA id n59sm28846267wrb.54.2017.03.14.04.32.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Mar 2017 04:32:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=profitbricks-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=iJ5AmwIxu5nb9t8OSY6QVm80f4XIhI3rOSl9KQ8tKVI=; b=YWxCOLa+OZIBGWYj4pAzDfk/Z0IYY9inQk8rK0Iry3M/6se2YUU5g+dT0toLCw7WRJ R8sQrnN0HX7T3I+xQStY1q0uvAkTAp9+Dhg+kEdVQm/Y5NmxyAighoTuuVEpzGtwdcli q4lJqJ2w6dm3uoFJ0p1Sohq3z+qhEy1eq4gm5KhZXt69ojWiAoWRUPL4uYhYm5CABqyn hnX9DOLfIXExgae4vT0v1JiotrYjdbViKzANAh7mxT5qssOWedpksYk1PG91nOeUtE36 FH7SdBZfIJYcDP3RUVeLptmscWeNYVm7PmTYPum4XRw19aNM4iKMLo9vRQXwuM0ZFF9A 9yKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=iJ5AmwIxu5nb9t8OSY6QVm80f4XIhI3rOSl9KQ8tKVI=; b=bnEC+ggwsCoFfNTISATZqW9RQ1TOrGKNhnACCHa+OA+qJLTeDBwNQny/LgSyVHyQUq 6xgwWkxquEAdh2SPaqI8FGJGWgiIzgTzu5naPIsIfrRFMzpr4rJcLtz5CLGk9pdcw2ti BTrg3J5NahaK6p5EnzriZEO0ET7Tp764O3tRMI7R1arKoJV2MAa/3RBVzW6VDSaog820 BcEyXJNtWJWDBz1V28YvAUEub+3ZSsLJu51pRjQkBHcn8xuYzdwg2Ni43Kr//wzpHmQ7 OZvCITEuDvTq5cMHZCmgZEJtjYD5WTe9lb2eMBylaSZD4vKJ3ms86L4Q68FnDcyQqVje X9Fw== X-Gm-Message-State: AFeK/H3tlHfrWrvP8MdQwUwSCxRQ5MaIVa3oSaNgc7NTZupXUbd3wDFAlFFK2eipU0urUnQn X-Received: by 10.28.111.3 with SMTP id k3mr14072629wmc.39.1489491134791; Tue, 14 Mar 2017 04:32:14 -0700 (PDT) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Tue, 14 Mar 2017 12:32:09 +0100 Message-Id: <20170314113209.12025-6-eduardo.otubo@profitbricks.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> References: <20170314113209.12025-1-eduardo.otubo@profitbricks.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c09::22f Subject: [Qemu-devel] [PATCH 5/5] seccomp: add resourcecontrol argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: thuth@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds [,resourcecontrol=3Ddeny] to `-sandbox on' option. It blacklists all process affinity and scheduler priority system calls to avoid any bigger of the process. Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 5 ++++- qemu-seccomp.c | 26 ++++++++++++++++++++++++++ vl.c | 11 +++++++++++ 4 files changed, 42 insertions(+), 1 deletion(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index f1614d6514..c7003dd197 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -18,6 +18,7 @@ #define OBSOLETE 0x0001 #define PRIVILEGED 0x0010 #define SPAWN 0x0100 +#define RESOURCECTL 0x1000 =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 53f4f8cfd2..5784ffe4b1 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3732,11 +3732,12 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Ddeny][,spawn=3Dde= ny]" \ + "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Ddeny][,spawn=3Dde= ny][,resourcecontrol=3Ddeny]\n" \ " Enable seccomp mode 2 system call filt= er (default 'off').\n" \ " obsolete: Allow obsolete system calls\= n" \ " elevateprivileges: avoids Qemu process= to elevate its privileges by blacklisting all set*uid|gid system calls\n" \ " spawn: avoids Qemu to spawn new thread= s or processes by blacklisting *fork and execve\n" + " resourcecontrol: disable process affin= ity and schedular priority\n", QEMU_ARCH_ALL) STEXI @item -sandbox @var{arg}[,obsolete=3D@var{string}] @@ -3750,6 +3751,8 @@ Enable Obsolete system calls Disable set*uid|gid systema calls @item spawn=3D@var{string} Disable *fork and execve +@item resourcecontrol=3D@var{string} +Disable process affinity and schedular priority @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 4c1f7b41ba..dec47e9a74 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,19 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall resourcecontrol_syscalls[] =3D { + { SCMP_SYS(getpriority), 255 }, + { SCMP_SYS(setpriority), 255 }, + { SCMP_SYS(sched_setparam), 255 }, + { SCMP_SYS(sched_getparam), 255 }, + { SCMP_SYS(sched_setscheduler), 255 }, + { SCMP_SYS(sched_getscheduler), 255 }, + { SCMP_SYS(sched_setaffinity), 255 }, + { SCMP_SYS(sched_getaffinity), 255 }, + { SCMP_SYS(sched_get_priority_max), 255 }, + { SCMP_SYS(sched_get_priority_min), 255 }, +}; + static const struct QemuSeccompSyscall spawn_syscalls[] =3D { { SCMP_SYS(fork), 255 }, { SCMP_SYS(vfork), 255 }, @@ -171,6 +184,19 @@ int seccomp_start(uint8_t seccomp_opts) } } =20 + if (seccomp_opts & RESOURCECTL) { + for (i =3D 0; i < ARRAY_SIZE(resourcecontrol_syscalls); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, resourcecontrol_sy= scalls[i].num, 0); + if (rc < 0) { + goto seccomp_return; + } + rc =3D seccomp_syscall_priority(ctx, resourcecontrol_syscalls[= i].num, resourcecontrol_syscalls[i].priority); + if (rc < 0) { + goto seccomp_return; + } + } + } + rc =3D seccomp_load(ctx); =20 seccomp_return: diff --git a/vl.c b/vl.c index 6a6e9a69bf..3ceffef094 100644 --- a/vl.c +++ b/vl.c @@ -281,6 +281,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "spawn", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "resourcecontrol", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1067,6 +1071,13 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts,"resourcecontrol"); + if (value) { + if (strcmp(value, "deny") =3D=3D 0) { + seccomp_opts |=3D RESOURCECTL; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.11.0