From nobody Sun Apr 28 09:36:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1500032620624907.7545608460429; Fri, 14 Jul 2017 04:43:40 -0700 (PDT) Received: from localhost ([::1]:37189 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVz0U-0005jC-48 for importer@patchew.org; Fri, 14 Jul 2017 07:43:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35135) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyuL-00085h-JZ for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVyuH-0006ml-FT for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:17 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57657) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dVyuH-0006m9-6B for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:13 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 205ACC057FAD for ; Fri, 14 Jul 2017 11:37:12 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-45.ams2.redhat.com [10.36.117.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1FA0A65EA5; Fri, 14 Jul 2017 11:37:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 205ACC057FAD Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=otubo@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 205ACC057FAD From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 14 Jul 2017 13:36:55 +0200 Message-Id: <20170714113700.21319-2-otubo@redhat.com> In-Reply-To: <20170714113700.21319-1-otubo@redhat.com> References: <20170714113700.21319-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Fri, 14 Jul 2017 11:37:12 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 1/6] seccomp: changing from whitelist to blacklist X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch changes the default behavior of the seccomp filter from whitelist to blacklist. By default now all system calls are allowed and a small black list of definitely forbidden ones was created. Signed-off-by: Eduardo Otubo --- qemu-seccomp.c | 256 +++++++----------------------------------------------= ---- vl.c | 7 +- 2 files changed, 33 insertions(+), 230 deletions(-) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index df75d9c471..f8877b07b5 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,229 +31,29 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 -static const struct QemuSeccompSyscall seccomp_whitelist[] =3D { - { SCMP_SYS(timer_settime), 255 }, - { SCMP_SYS(timer_gettime), 254 }, - { SCMP_SYS(futex), 253 }, - { SCMP_SYS(select), 252 }, - { SCMP_SYS(recvfrom), 251 }, - { SCMP_SYS(sendto), 250 }, - { SCMP_SYS(socketcall), 250 }, - { SCMP_SYS(read), 249 }, - { SCMP_SYS(io_submit), 249 }, - { SCMP_SYS(brk), 248 }, - { SCMP_SYS(clone), 247 }, - { SCMP_SYS(mmap), 247 }, - { SCMP_SYS(mprotect), 246 }, - { SCMP_SYS(execve), 245 }, - { SCMP_SYS(open), 245 }, - { SCMP_SYS(ioctl), 245 }, - { SCMP_SYS(socket), 245 }, - { SCMP_SYS(setsockopt), 245 }, - { SCMP_SYS(recvmsg), 245 }, - { SCMP_SYS(sendmsg), 245 }, - { SCMP_SYS(accept), 245 }, - { SCMP_SYS(connect), 245 }, - { SCMP_SYS(socketpair), 245 }, - { SCMP_SYS(bind), 245 }, - { SCMP_SYS(listen), 245 }, - { SCMP_SYS(semget), 245 }, - { SCMP_SYS(ipc), 245 }, - { SCMP_SYS(gettimeofday), 245 }, - { SCMP_SYS(readlink), 245 }, - { SCMP_SYS(access), 245 }, - { SCMP_SYS(prctl), 245 }, - { SCMP_SYS(signalfd), 245 }, - { SCMP_SYS(getrlimit), 245 }, - { SCMP_SYS(getrusage), 245 }, - { SCMP_SYS(set_tid_address), 245 }, - { SCMP_SYS(statfs), 245 }, - { SCMP_SYS(unlink), 245 }, - { SCMP_SYS(wait4), 245 }, - { SCMP_SYS(fcntl64), 245 }, - { SCMP_SYS(fstat64), 245 }, - { SCMP_SYS(stat64), 245 }, - { SCMP_SYS(getgid32), 245 }, - { SCMP_SYS(getegid32), 245 }, - { SCMP_SYS(getuid32), 245 }, - { SCMP_SYS(geteuid32), 245 }, - { SCMP_SYS(sigreturn), 245 }, - { SCMP_SYS(_newselect), 245 }, - { SCMP_SYS(_llseek), 245 }, - { SCMP_SYS(mmap2), 245 }, - { SCMP_SYS(sigprocmask), 245 }, - { SCMP_SYS(sched_getparam), 245 }, - { SCMP_SYS(sched_getscheduler), 245 }, - { SCMP_SYS(fstat), 245 }, - { SCMP_SYS(clock_getres), 245 }, - { SCMP_SYS(sched_get_priority_min), 245 }, - { SCMP_SYS(sched_get_priority_max), 245 }, - { SCMP_SYS(stat), 245 }, - { SCMP_SYS(uname), 245 }, - { SCMP_SYS(eventfd2), 245 }, - { SCMP_SYS(io_getevents), 245 }, - { SCMP_SYS(dup), 245 }, - { SCMP_SYS(dup2), 245 }, - { SCMP_SYS(dup3), 245 }, - { SCMP_SYS(gettid), 245 }, - { SCMP_SYS(getgid), 245 }, - { SCMP_SYS(getegid), 245 }, - { SCMP_SYS(getuid), 245 }, - { SCMP_SYS(geteuid), 245 }, - { SCMP_SYS(timer_create), 245 }, - { SCMP_SYS(times), 245 }, - { SCMP_SYS(exit), 245 }, - { SCMP_SYS(clock_gettime), 245 }, - { SCMP_SYS(time), 245 }, - { SCMP_SYS(restart_syscall), 245 }, - { SCMP_SYS(pwrite64), 245 }, - { SCMP_SYS(nanosleep), 245 }, - { SCMP_SYS(chown), 245 }, - { SCMP_SYS(openat), 245 }, - { SCMP_SYS(getdents), 245 }, - { SCMP_SYS(timer_delete), 245 }, - { SCMP_SYS(exit_group), 245 }, - { SCMP_SYS(rt_sigreturn), 245 }, - { SCMP_SYS(sync), 245 }, - { SCMP_SYS(pread64), 245 }, - { SCMP_SYS(madvise), 245 }, - { SCMP_SYS(set_robust_list), 245 }, - { SCMP_SYS(lseek), 245 }, - { SCMP_SYS(pselect6), 245 }, - { SCMP_SYS(fork), 245 }, - { SCMP_SYS(rt_sigprocmask), 245 }, - { SCMP_SYS(write), 244 }, - { SCMP_SYS(fcntl), 243 }, - { SCMP_SYS(tgkill), 242 }, - { SCMP_SYS(kill), 242 }, - { SCMP_SYS(rt_sigaction), 242 }, - { SCMP_SYS(pipe2), 242 }, - { SCMP_SYS(munmap), 242 }, - { SCMP_SYS(mremap), 242 }, - { SCMP_SYS(fdatasync), 242 }, - { SCMP_SYS(close), 242 }, - { SCMP_SYS(rt_sigpending), 242 }, - { SCMP_SYS(rt_sigtimedwait), 242 }, - { SCMP_SYS(readv), 242 }, - { SCMP_SYS(writev), 242 }, - { SCMP_SYS(preadv), 242 }, - { SCMP_SYS(pwritev), 242 }, - { SCMP_SYS(setrlimit), 242 }, - { SCMP_SYS(ftruncate), 242 }, - { SCMP_SYS(lstat), 242 }, - { SCMP_SYS(pipe), 242 }, - { SCMP_SYS(umask), 242 }, - { SCMP_SYS(chdir), 242 }, - { SCMP_SYS(setitimer), 242 }, - { SCMP_SYS(setsid), 242 }, - { SCMP_SYS(poll), 242 }, - { SCMP_SYS(epoll_create), 242 }, - { SCMP_SYS(epoll_ctl), 242 }, - { SCMP_SYS(epoll_wait), 242 }, - { SCMP_SYS(waitpid), 242 }, - { SCMP_SYS(getsockname), 242 }, - { SCMP_SYS(getpeername), 242 }, - { SCMP_SYS(accept4), 242 }, - { SCMP_SYS(timerfd_settime), 242 }, - { SCMP_SYS(newfstatat), 241 }, - { SCMP_SYS(shutdown), 241 }, - { SCMP_SYS(getsockopt), 241 }, - { SCMP_SYS(semop), 241 }, - { SCMP_SYS(semtimedop), 241 }, - { SCMP_SYS(epoll_ctl_old), 241 }, - { SCMP_SYS(epoll_wait_old), 241 }, - { SCMP_SYS(epoll_pwait), 241 }, - { SCMP_SYS(epoll_create1), 241 }, - { SCMP_SYS(ppoll), 241 }, - { SCMP_SYS(creat), 241 }, - { SCMP_SYS(link), 241 }, - { SCMP_SYS(getpid), 241 }, - { SCMP_SYS(getppid), 241 }, - { SCMP_SYS(getpgrp), 241 }, - { SCMP_SYS(getpgid), 241 }, - { SCMP_SYS(getsid), 241 }, - { SCMP_SYS(getdents64), 241 }, - { SCMP_SYS(getresuid), 241 }, - { SCMP_SYS(getresgid), 241 }, - { SCMP_SYS(getgroups), 241 }, - { SCMP_SYS(getresuid32), 241 }, - { SCMP_SYS(getresgid32), 241 }, - { SCMP_SYS(getgroups32), 241 }, - { SCMP_SYS(signal), 241 }, - { SCMP_SYS(sigaction), 241 }, - { SCMP_SYS(sigsuspend), 241 }, - { SCMP_SYS(sigpending), 241 }, - { SCMP_SYS(truncate64), 241 }, - { SCMP_SYS(ftruncate64), 241 }, - { SCMP_SYS(fchown32), 241 }, - { SCMP_SYS(chown32), 241 }, - { SCMP_SYS(lchown32), 241 }, - { SCMP_SYS(statfs64), 241 }, - { SCMP_SYS(fstatfs64), 241 }, - { SCMP_SYS(fstatat64), 241 }, - { SCMP_SYS(lstat64), 241 }, - { SCMP_SYS(sendfile64), 241 }, - { SCMP_SYS(ugetrlimit), 241 }, - { SCMP_SYS(alarm), 241 }, - { SCMP_SYS(rt_sigsuspend), 241 }, - { SCMP_SYS(rt_sigqueueinfo), 241 }, - { SCMP_SYS(rt_tgsigqueueinfo), 241 }, - { SCMP_SYS(sigaltstack), 241 }, - { SCMP_SYS(signalfd4), 241 }, - { SCMP_SYS(truncate), 241 }, - { SCMP_SYS(fchown), 241 }, - { SCMP_SYS(lchown), 241 }, - { SCMP_SYS(fchownat), 241 }, - { SCMP_SYS(fstatfs), 241 }, - { SCMP_SYS(getitimer), 241 }, - { SCMP_SYS(syncfs), 241 }, - { SCMP_SYS(fsync), 241 }, - { SCMP_SYS(fchdir), 241 }, - { SCMP_SYS(msync), 241 }, - { SCMP_SYS(sched_setparam), 241 }, - { SCMP_SYS(sched_setscheduler), 241 }, - { SCMP_SYS(sched_yield), 241 }, - { SCMP_SYS(sched_rr_get_interval), 241 }, - { SCMP_SYS(sched_setaffinity), 241 }, - { SCMP_SYS(sched_getaffinity), 241 }, - { SCMP_SYS(readahead), 241 }, - { SCMP_SYS(timer_getoverrun), 241 }, - { SCMP_SYS(unlinkat), 241 }, - { SCMP_SYS(readlinkat), 241 }, - { SCMP_SYS(faccessat), 241 }, - { SCMP_SYS(get_robust_list), 241 }, - { SCMP_SYS(splice), 241 }, - { SCMP_SYS(vmsplice), 241 }, - { SCMP_SYS(getcpu), 241 }, - { SCMP_SYS(sendmmsg), 241 }, - { SCMP_SYS(recvmmsg), 241 }, - { SCMP_SYS(prlimit64), 241 }, - { SCMP_SYS(waitid), 241 }, - { SCMP_SYS(io_cancel), 241 }, - { SCMP_SYS(io_setup), 241 }, - { SCMP_SYS(io_destroy), 241 }, - { SCMP_SYS(arch_prctl), 240 }, - { SCMP_SYS(mkdir), 240 }, - { SCMP_SYS(fchmod), 240 }, - { SCMP_SYS(shmget), 240 }, - { SCMP_SYS(shmat), 240 }, - { SCMP_SYS(shmdt), 240 }, - { SCMP_SYS(timerfd_create), 240 }, - { SCMP_SYS(shmctl), 240 }, - { SCMP_SYS(mlockall), 240 }, - { SCMP_SYS(mlock), 240 }, - { SCMP_SYS(munlock), 240 }, - { SCMP_SYS(semctl), 240 }, - { SCMP_SYS(fallocate), 240 }, - { SCMP_SYS(fadvise64), 240 }, - { SCMP_SYS(inotify_init1), 240 }, - { SCMP_SYS(inotify_add_watch), 240 }, - { SCMP_SYS(mbind), 240 }, - { SCMP_SYS(memfd_create), 240 }, -#ifdef HAVE_CACHEFLUSH - { SCMP_SYS(cacheflush), 240 }, -#endif - { SCMP_SYS(sysinfo), 240 }, +static const struct QemuSeccompSyscall blacklist[] =3D { + { SCMP_SYS(reboot), 255 }, + { SCMP_SYS(swapon), 255 }, + { SCMP_SYS(swapoff), 255 }, + { SCMP_SYS(syslog), 255 }, + { SCMP_SYS(mount), 255 }, + { SCMP_SYS(umount), 255 }, + { SCMP_SYS(kexec_load), 255 }, + { SCMP_SYS(afs_syscall), 255 }, + { SCMP_SYS(break), 255 }, + { SCMP_SYS(ftime), 255 }, + { SCMP_SYS(getpmsg), 255 }, + { SCMP_SYS(gtty), 255 }, + { SCMP_SYS(lock), 255 }, + { SCMP_SYS(mpx), 255 }, + { SCMP_SYS(prof), 255 }, + { SCMP_SYS(profil), 255 }, + { SCMP_SYS(putpmsg), 255 }, + { SCMP_SYS(security), 255 }, + { SCMP_SYS(stty), 255 }, + { SCMP_SYS(tuxcall), 255 }, + { SCMP_SYS(ulimit), 255 }, + { SCMP_SYS(vserver), 255 }, }; =20 int seccomp_start(void) @@ -262,19 +62,19 @@ int seccomp_start(void) unsigned int i =3D 0; scmp_filter_ctx ctx; =20 - ctx =3D seccomp_init(SCMP_ACT_KILL); + ctx =3D seccomp_init(SCMP_ACT_ALLOW); if (ctx =3D=3D NULL) { rc =3D -1; goto seccomp_return; } =20 - for (i =3D 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { - rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].= num, 0); + for (i =3D 0; i < ARRAY_SIZE(blacklist); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; } - rc =3D seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, - seccomp_whitelist[i].priority); + rc =3D seccomp_syscall_priority(ctx, blacklist[i].num, + blacklist[i].priority); if (rc < 0) { goto seccomp_return; } diff --git a/vl.c b/vl.c index 8efd48bf9f..838ad3b11a 100644 --- a/vl.c +++ b/vl.c @@ -1030,14 +1030,17 @@ static int bt_parse(const char *opt) =20 static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) { - /* FIXME: change this to true for 1.3 */ if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP if (seccomp_start() < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); return -1; - } + } else { + error_report("warning: -sandbox on has been converted to black= list + approach. Refer to manual for other options to hi= gher + security option."); + } #else error_report("seccomp support is disabled"); return -1; --=20 2.13.0 From nobody Sun Apr 28 09:36:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1500032328253925.490605671647; Fri, 14 Jul 2017 04:38:48 -0700 (PDT) Received: from localhost ([::1]:37165 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyvl-0000XM-Vd for importer@patchew.org; Fri, 14 Jul 2017 07:38:46 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35134) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyuL-00085f-JD for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVyuI-0006nj-P7 for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:17 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53370) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dVyuI-0006n3-Fk for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:14 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5D7BC2DE3F for ; Fri, 14 Jul 2017 11:37:13 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-45.ams2.redhat.com [10.36.117.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 70BF165EA5; Fri, 14 Jul 2017 11:37:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5D7BC2DE3F Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=otubo@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 5D7BC2DE3F From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 14 Jul 2017 13:36:56 +0200 Message-Id: <20170714113700.21319-3-otubo@redhat.com> In-Reply-To: <20170714113700.21319-1-otubo@redhat.com> References: <20170714113700.21319-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 14 Jul 2017 11:37:13 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/6] seccomp: add obsolete argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch introduces the argument [,obsolete=3Dallow] to the `-sandbox on' option. It allows Qemu to run safely on old system that still relies on old system calls. Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 4 +++- qemu-options.hx | 9 +++++++-- qemu-seccomp.c | 32 +++++++++++++++++++++++++++++++- vl.c | 16 +++++++++++++++- 4 files changed, 56 insertions(+), 5 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index cfc06008cb..7a7bde246b 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -15,7 +15,9 @@ #ifndef QEMU_SECCOMP_H #define QEMU_SECCOMP_H =20 +#define OBSOLETE 0x0001 + #include =20 -int seccomp_start(void); +int seccomp_start(uint8_t seccomp_opts); #endif diff --git a/qemu-options.hx b/qemu-options.hx index 2cc70b9cfc..c3200f303b 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4004,13 +4004,18 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox Enable seccomp mode 2 system call filter (default 'of= f').\n", + "-sandbox on[,obsolete=3Dallow] Enable seccomp mode 2 system call fil= ter (default 'off').\n" \ + " obsolete: Allow obsolete system calls", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg} +@item -sandbox @var{arg}[,obsolete=3D@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filteri= ng and 'off' will disable it. The default is 'off'. +@table @option +@item obsolete=3D@var{string} +Enable Obsolete system calls +@end table ETEXI =20 DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig, diff --git a/qemu-seccomp.c b/qemu-seccomp.c index f8877b07b5..c6a8b28260 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,20 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall obsolete[] =3D { + { SCMP_SYS(readdir), 255 }, + { SCMP_SYS(_sysctl), 255 }, + { SCMP_SYS(bdflush), 255 }, + { SCMP_SYS(create_module), 255 }, + { SCMP_SYS(get_kernel_syms), 255 }, + { SCMP_SYS(query_module), 255 }, + { SCMP_SYS(sgetmask), 255 }, + { SCMP_SYS(ssetmask), 255 }, + { SCMP_SYS(sysfs), 255 }, + { SCMP_SYS(uselib), 255 }, + { SCMP_SYS(ustat), 255 }, +}; + static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(reboot), 255 }, { SCMP_SYS(swapon), 255 }, @@ -56,7 +70,20 @@ static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(vserver), 255 }, }; =20 -int seccomp_start(void) +static int is_obsolete(int syscall) +{ + unsigned int i =3D 0; + + for (i =3D 0; i < ARRAY_SIZE(obsolete); i++) { + if (syscall =3D=3D obsolete[i].num) { + return 1; + } + } + + return 0; +} + +int seccomp_start(uint8_t seccomp_opts) { int rc =3D 0; unsigned int i =3D 0; @@ -69,6 +96,9 @@ int seccomp_start(void) } =20 for (i =3D 0; i < ARRAY_SIZE(blacklist); i++) { + if ((seccomp_opts & OBSOLETE) && is_obsolete(blacklist[i].num)) { + continue; + } rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; diff --git a/vl.c b/vl.c index 838ad3b11a..6a297851aa 100644 --- a/vl.c +++ b/vl.c @@ -271,6 +271,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "enable", .type =3D QEMU_OPT_BOOL, }, + { + .name =3D "obsolete", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1032,7 +1036,17 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) { if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP - if (seccomp_start() < 0) { + uint8_t seccomp_opts =3D 0x0000; + const char * value =3D NULL; + + value =3D qemu_opt_get(opts,"obsolete"); + if (value) { + if (strcmp(value, "allow") =3D=3D 0) { + seccomp_opts |=3D OBSOLETE; + } + } + + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); return -1; --=20 2.13.0 From nobody Sun Apr 28 09:36:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1500032767411860.8409653323074; Fri, 14 Jul 2017 04:46:07 -0700 (PDT) Received: from localhost ([::1]:37204 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVz2r-0000TP-1s for importer@patchew.org; Fri, 14 Jul 2017 07:46:05 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35163) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyuN-00087H-JD for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVyuM-0006q5-5W for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:19 -0400 Received: from mx1.redhat.com ([209.132.183.28]:38624) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dVyuL-0006pB-T0 for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:18 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D42947CE1A for ; Fri, 14 Jul 2017 11:37:16 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-45.ams2.redhat.com [10.36.117.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id B1EC365EA5; Fri, 14 Jul 2017 11:37:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com D42947CE1A Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=otubo@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com D42947CE1A From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 14 Jul 2017 13:36:57 +0200 Message-Id: <20170714113700.21319-4-otubo@redhat.com> In-Reply-To: <20170714113700.21319-1-otubo@redhat.com> References: <20170714113700.21319-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 14 Jul 2017 11:37:17 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 3/6] seccomp: add elevateprivileges argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch introduces the new argument [,elevateprivileges=3Dallow|deny|children] to the `-sandbox on'. It allows or denies Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls. The 'children' option will let forks and execves run unprivileged. Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 8 ++++++-- qemu-seccomp.c | 29 +++++++++++++++++++++++++++++ vl.c | 18 ++++++++++++++++++ 4 files changed, 54 insertions(+), 2 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 7a7bde246b..e6e78d85ce 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -16,6 +16,7 @@ #define QEMU_SECCOMP_H =20 #define OBSOLETE 0x0001 +#define PRIVILEGED 0x0010 =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index c3200f303b..6dc776aae3 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4004,8 +4004,10 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=3Dallow] Enable seccomp mode 2 system call fil= ter (default 'off').\n" \ - " obsolete: Allow obsolete system calls", + "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Dallow|deny|childr= en]\n" \ + " Enable seccomp mode 2 system call filt= er (default 'off').\n" \ + " obsolete: Allow obsolete system calls\= n" \ + " elevateprivileges: allows or denies Qe= mu process to elevate its privileges by blacklisting all set*uid|gid system= calls. 'children' will deny set*uid|gid system calls for main Qemu process= but will allow forks and execves to run unprivileged", QEMU_ARCH_ALL) STEXI @item -sandbox @var{arg}[,obsolete=3D@var{string}] @@ -4015,6 +4017,8 @@ disable it. The default is 'off'. @table @option @item obsolete=3D@var{string} Enable Obsolete system calls +@item elevateprivileges=3D@var{string} +Disable set*uid|gid systema calls @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index c6a8b28260..c204cef9ee 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,19 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall privileged_syscalls[] =3D { + { SCMP_SYS(setuid), 255 }, + { SCMP_SYS(setgid), 255 }, + { SCMP_SYS(setpgid), 255 }, + { SCMP_SYS(setsid), 255 }, + { SCMP_SYS(setreuid), 255 }, + { SCMP_SYS(setregid), 255 }, + { SCMP_SYS(setresuid), 255 }, + { SCMP_SYS(setresgid), 255 }, + { SCMP_SYS(setfsuid), 255 }, + { SCMP_SYS(setfsgid), 255 }, +}; + static const struct QemuSeccompSyscall obsolete[] =3D { { SCMP_SYS(readdir), 255 }, { SCMP_SYS(_sysctl), 255 }, @@ -110,6 +123,22 @@ int seccomp_start(uint8_t seccomp_opts) } } =20 + if (seccomp_opts & PRIVILEGED) { + for (i =3D 0; i < ARRAY_SIZE(privileged_syscalls); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, + privileged_syscalls[i].num, 0); + if (rc < 0) { + goto seccomp_return; + } + rc =3D seccomp_syscall_priority(ctx, privileged_syscalls[i].nu= m, + privileged_syscalls[i].priority); + if (rc < 0) { + goto seccomp_return; + } + } + } + + rc =3D seccomp_load(ctx); =20 seccomp_return: diff --git a/vl.c b/vl.c index 6a297851aa..0b857083a3 100644 --- a/vl.c +++ b/vl.c @@ -275,6 +275,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "obsolete", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "elevateprivileges", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1046,6 +1050,20 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts,"elevateprivileges"); + if (value) { + if (strcmp(value, "deny") =3D=3D 0) { + seccomp_opts |=3D PRIVILEGED; + } + if (strcmp(value, "children") =3D=3D 0) { + seccomp_opts |=3D PRIVILEGED; + + /* calling prctl directly because we're + * not sure if host has CAP_SYS_ADMIN set*/ + prctl(PR_SET_NO_NEW_PRIVS, 1); + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.13.0 From nobody Sun Apr 28 09:36:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1500032399565913.6556906922156; Fri, 14 Jul 2017 04:39:59 -0700 (PDT) Received: from localhost ([::1]:37170 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyww-00022z-81 for importer@patchew.org; Fri, 14 Jul 2017 07:39:58 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35176) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyuO-00088C-6F for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVyuN-0006qo-9C for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:20 -0400 Received: from mx1.redhat.com ([209.132.183.28]:58498) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dVyuN-0006qK-06 for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:19 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F2BD8BAEC2 for ; Fri, 14 Jul 2017 11:37:17 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-45.ams2.redhat.com [10.36.117.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3048365EAC; Fri, 14 Jul 2017 11:37:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com F2BD8BAEC2 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=otubo@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com F2BD8BAEC2 From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 14 Jul 2017 13:36:58 +0200 Message-Id: <20170714113700.21319-5-otubo@redhat.com> In-Reply-To: <20170714113700.21319-1-otubo@redhat.com> References: <20170714113700.21319-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 14 Jul 2017 11:37:18 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 4/6] seccomp: add spawn argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds [,spawn=3Ddeny] argument to `-sandbox on' option. It blacklists fork and execve system calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 5 ++++- qemu-seccomp.c | 19 +++++++++++++++++++ vl.c | 11 +++++++++++ 4 files changed, 35 insertions(+), 1 deletion(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index e6e78d85ce..f1614d6514 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -17,6 +17,7 @@ =20 #define OBSOLETE 0x0001 #define PRIVILEGED 0x0010 +#define SPAWN 0x0100 =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 6dc776aae3..611a501684 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4004,10 +4004,11 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Dallow|deny|childr= en]\n" \ + "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Dallow|deny|childr= en][,spawn=3Ddeny]\n" \ " Enable seccomp mode 2 system call filt= er (default 'off').\n" \ " obsolete: Allow obsolete system calls\= n" \ " elevateprivileges: allows or denies Qe= mu process to elevate its privileges by blacklisting all set*uid|gid system= calls. 'children' will deny set*uid|gid system calls for main Qemu process= but will allow forks and execves to run unprivileged", + " spawn: avoids Qemu to spawn new thread= s or processes by blacklisting *fork and execve\n" QEMU_ARCH_ALL) STEXI @item -sandbox @var{arg}[,obsolete=3D@var{string}] @@ -4019,6 +4020,8 @@ disable it. The default is 'off'. Enable Obsolete system calls @item elevateprivileges=3D@var{string} Disable set*uid|gid systema calls +@item spawn=3D@var{string} +Disable *fork and execve @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index c204cef9ee..075d87e27f 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,12 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall spawn_syscalls[] =3D { + { SCMP_SYS(fork), 255 }, + { SCMP_SYS(vfork), 255 }, + { SCMP_SYS(execve), 255 }, +}; + static const struct QemuSeccompSyscall privileged_syscalls[] =3D { { SCMP_SYS(setuid), 255 }, { SCMP_SYS(setgid), 255 }, @@ -138,6 +144,19 @@ int seccomp_start(uint8_t seccomp_opts) } } =20 + if (seccomp_opts & SPAWN) { + for (i =3D 0; i < ARRAY_SIZE(spawn_syscalls); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, spawn_syscalls[i].= num, 0); + if (rc < 0) { + goto seccomp_return; + } + rc =3D seccomp_syscall_priority(ctx, spawn_syscalls[i].num, + spawn_syscalls[i].priority); + if (rc < 0) { + goto seccomp_return; + } + } + } =20 rc =3D seccomp_load(ctx); =20 diff --git a/vl.c b/vl.c index 0b857083a3..456a518431 100644 --- a/vl.c +++ b/vl.c @@ -279,6 +279,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "elevateprivileges", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "spawn", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1064,6 +1068,13 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts,"spawn"); + if (value) { + if (strcmp(value, "deny") =3D=3D 0) { + seccomp_opts |=3D SPAWN; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.13.0 From nobody Sun Apr 28 09:36:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1500032478051729.148301482058; Fri, 14 Jul 2017 04:41:18 -0700 (PDT) Received: from localhost ([::1]:37180 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyy8-0003U4-Lb for importer@patchew.org; Fri, 14 Jul 2017 07:41:12 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35196) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyuP-00089Q-Ci for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVyuO-0006rk-Bp for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:21 -0400 Received: from mx1.redhat.com ([209.132.183.28]:38744) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dVyuO-0006qx-36 for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:20 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1B52B80478 for ; Fri, 14 Jul 2017 11:37:19 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-45.ams2.redhat.com [10.36.117.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 504BD65EAD; Fri, 14 Jul 2017 11:37:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1B52B80478 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=otubo@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 1B52B80478 From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 14 Jul 2017 13:36:59 +0200 Message-Id: <20170714113700.21319-6-otubo@redhat.com> In-Reply-To: <20170714113700.21319-1-otubo@redhat.com> References: <20170714113700.21319-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 14 Jul 2017 11:37:19 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 5/6] seccomp: add resourcecontrol argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds [,resourcecontrol=3Ddeny] to `-sandbox on' option. It blacklists all process affinity and scheduler priority system calls to avoid any bigger of the process. Signed-off-by: Eduardo Otubo --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 5 ++++- qemu-seccomp.c | 27 +++++++++++++++++++++++++++ vl.c | 11 +++++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index f1614d6514..c7003dd197 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -18,6 +18,7 @@ #define OBSOLETE 0x0001 #define PRIVILEGED 0x0010 #define SPAWN 0x0100 +#define RESOURCECTL 0x1000 =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 611a501684..77b437a052 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4004,11 +4004,12 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Dallow|deny|childr= en][,spawn=3Ddeny]\n" \ + "-sandbox on[,obsolete=3Dallow][,elevateprivileges=3Dallow|deny|childr= en][,spawn=3Ddeny][,resourcecontrol=3Ddeny]\n" \ " Enable seccomp mode 2 system call filt= er (default 'off').\n" \ " obsolete: Allow obsolete system calls\= n" \ " elevateprivileges: allows or denies Qe= mu process to elevate its privileges by blacklisting all set*uid|gid system= calls. 'children' will deny set*uid|gid system calls for main Qemu process= but will allow forks and execves to run unprivileged", " spawn: avoids Qemu to spawn new thread= s or processes by blacklisting *fork and execve\n" + " resourcecontrol: disable process affin= ity and schedular priority\n", QEMU_ARCH_ALL) STEXI @item -sandbox @var{arg}[,obsolete=3D@var{string}] @@ -4022,6 +4023,8 @@ Enable Obsolete system calls Disable set*uid|gid systema calls @item spawn=3D@var{string} Disable *fork and execve +@item resourcecontrol=3D@var{string} +Disable process affinity and schedular priority @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 075d87e27f..a9a35456e9 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -31,6 +31,19 @@ struct QemuSeccompSyscall { uint8_t priority; }; =20 +static const struct QemuSeccompSyscall resourcecontrol_syscalls[] =3D { + { SCMP_SYS(getpriority), 255 }, + { SCMP_SYS(setpriority), 255 }, + { SCMP_SYS(sched_setparam), 255 }, + { SCMP_SYS(sched_getparam), 255 }, + { SCMP_SYS(sched_setscheduler), 255 }, + { SCMP_SYS(sched_getscheduler), 255 }, + { SCMP_SYS(sched_setaffinity), 255 }, + { SCMP_SYS(sched_getaffinity), 255 }, + { SCMP_SYS(sched_get_priority_max), 255 }, + { SCMP_SYS(sched_get_priority_min), 255 }, +}; + static const struct QemuSeccompSyscall spawn_syscalls[] =3D { { SCMP_SYS(fork), 255 }, { SCMP_SYS(vfork), 255 }, @@ -158,6 +171,20 @@ int seccomp_start(uint8_t seccomp_opts) } } =20 + if (seccomp_opts & RESOURCECTL) { + for (i =3D 0; i < ARRAY_SIZE(resourcecontrol_syscalls); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, resourcecontrol_sy= scalls[i].num, 0); + if (rc < 0) { + goto seccomp_return; + } + rc =3D seccomp_syscall_priority(ctx, resourcecontrol_syscalls[= i].num, + resourcecontrol_syscalls[i].priority); + if (rc < 0) { + goto seccomp_return; + } + } + } + rc =3D seccomp_load(ctx); =20 seccomp_return: diff --git a/vl.c b/vl.c index 456a518431..8e92052603 100644 --- a/vl.c +++ b/vl.c @@ -283,6 +283,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "spawn", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "resourcecontrol", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1075,6 +1079,13 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts,"resourcecontrol"); + if (value) { + if (strcmp(value, "deny") =3D=3D 0) { + seccomp_opts |=3D RESOURCECTL; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.13.0 From nobody Sun Apr 28 09:36:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1500032924229229.31837030762472; Fri, 14 Jul 2017 04:48:44 -0700 (PDT) Received: from localhost ([::1]:37212 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVz5O-0002YO-Q9 for importer@patchew.org; Fri, 14 Jul 2017 07:48:42 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35205) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVyuQ-0008AJ-A7 for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVyuP-0006si-HP for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:22 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53930) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dVyuP-0006s5-Am for qemu-devel@nongnu.org; Fri, 14 Jul 2017 07:37:21 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 42E704E024 for ; Fri, 14 Jul 2017 11:37:20 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-45.ams2.redhat.com [10.36.117.45]) by smtp.corp.redhat.com (Postfix) with ESMTP id 70A7365EAC; Fri, 14 Jul 2017 11:37:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 42E704E024 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=otubo@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 42E704E024 From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 14 Jul 2017 13:37:00 +0200 Message-Id: <20170714113700.21319-7-otubo@redhat.com> In-Reply-To: <20170714113700.21319-1-otubo@redhat.com> References: <20170714113700.21319-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 14 Jul 2017 11:37:20 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 6/6] seccomp: adding documentation to new seccomp model X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Adding new documention under docs/ to describe every one and each new option added by the refactoring patchset. Signed-off-by: Eduardo Otubo --- docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 docs/seccomp.txt diff --git a/docs/seccomp.txt b/docs/seccomp.txt new file mode 100644 index 0000000000..4b7edba312 --- /dev/null +++ b/docs/seccomp.txt @@ -0,0 +1,31 @@ +QEMU Seccomp system call filter +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D + +Starting from Qemu version 2.10, the seccomp filter does not work as a +whitelist but as a blacklist instead. This method allows safer deploys sin= ce +only the strictly forbidden system calls will be black-listed and the +possibility of breaking any workload is close to zero. + +The default option (-sandbox on) has a slightly looser security though and= the +reason is that it shouldn't break any backwards compatibility with previous +deploys and command lines already running. But if the intent is to have a +better security from this version on, one should make use of the following +additional options properly: + +* [,obsolete=3Dallow]: It allows Qemu to run safely on old system that sti= ll + relies on old system calls. + +* [,elevateprivileges=3Ddeny|allow|children]: It allows or denies Qemu pro= cess + to elevate its privileges by blacklisting all set*uid|gid system calls. = The + 'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers + (forls and execs) to run unprivileged. + +* [,spawn=3Ddeny]: It blacklists fork and execve syste calls, avoiding Qem= u to + spawn new threads or processes. + +* [,resourcecontrol=3Ddeny]: It blacklists all process affinity and schedu= ler + priority system calls to avoid any bigger of the process. + + +-- +Eduardo Otubo --=20 2.13.0