From nobody Thu Apr 25 04:09:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1505466001370664.5347951960847; Fri, 15 Sep 2017 02:00:01 -0700 (PDT) Received: from localhost ([::1]:52043 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmTg-0001R5-Gi for importer@patchew.org; Fri, 15 Sep 2017 05:00:00 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38797) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmCT-0000TJ-Oo for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsmCR-00031i-Ti for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:13 -0400 Received: from mx1.redhat.com ([209.132.183.28]:17876) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsmCR-00031Q-Ks for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:11 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 95B64285B9; Fri, 15 Sep 2017 08:42:10 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-68.ams2.redhat.com [10.36.117.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id EE8806685E; Fri, 15 Sep 2017 08:42:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 95B64285B9 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=otubo@redhat.com From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 15 Sep 2017 10:41:34 +0200 Message-Id: <20170915084139.4481-2-otubo@redhat.com> In-Reply-To: <20170915084139.4481-1-otubo@redhat.com> References: <20170915084139.4481-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 15 Sep 2017 08:42:10 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 01/06] seccomp: changing from whitelist to blacklist X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Fam Zheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch changes the default behavior of the seccomp filter from whitelist to blacklist. By default now all system calls are allowed and a small black list of definitely forbidden ones was created. Signed-off-by: Eduardo Otubo Reviewed-by: Thomas Huth Reviewed-by: Daniel P. Berrange --- include/sysemu/seccomp.h | 2 + qemu-seccomp.c | 260 +++++--------------------------------------= ---- vl.c | 1 - 3 files changed, 30 insertions(+), 233 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index cfc06008cb..23b9c3c789 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -15,6 +15,8 @@ #ifndef QEMU_SECCOMP_H #define QEMU_SECCOMP_H =20 +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0) + #include =20 int seccomp_start(void); diff --git a/qemu-seccomp.c b/qemu-seccomp.c index df75d9c471..f66613fc71 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -28,232 +28,33 @@ =20 struct QemuSeccompSyscall { int32_t num; - uint8_t priority; + uint8_t set; }; =20 -static const struct QemuSeccompSyscall seccomp_whitelist[] =3D { - { SCMP_SYS(timer_settime), 255 }, - { SCMP_SYS(timer_gettime), 254 }, - { SCMP_SYS(futex), 253 }, - { SCMP_SYS(select), 252 }, - { SCMP_SYS(recvfrom), 251 }, - { SCMP_SYS(sendto), 250 }, - { SCMP_SYS(socketcall), 250 }, - { SCMP_SYS(read), 249 }, - { SCMP_SYS(io_submit), 249 }, - { SCMP_SYS(brk), 248 }, - { SCMP_SYS(clone), 247 }, - { SCMP_SYS(mmap), 247 }, - { SCMP_SYS(mprotect), 246 }, - { SCMP_SYS(execve), 245 }, - { SCMP_SYS(open), 245 }, - { SCMP_SYS(ioctl), 245 }, - { SCMP_SYS(socket), 245 }, - { SCMP_SYS(setsockopt), 245 }, - { SCMP_SYS(recvmsg), 245 }, - { SCMP_SYS(sendmsg), 245 }, - { SCMP_SYS(accept), 245 }, - { SCMP_SYS(connect), 245 }, - { SCMP_SYS(socketpair), 245 }, - { SCMP_SYS(bind), 245 }, - { SCMP_SYS(listen), 245 }, - { SCMP_SYS(semget), 245 }, - { SCMP_SYS(ipc), 245 }, - { SCMP_SYS(gettimeofday), 245 }, - { SCMP_SYS(readlink), 245 }, - { SCMP_SYS(access), 245 }, - { SCMP_SYS(prctl), 245 }, - { SCMP_SYS(signalfd), 245 }, - { SCMP_SYS(getrlimit), 245 }, - { SCMP_SYS(getrusage), 245 }, - { SCMP_SYS(set_tid_address), 245 }, - { SCMP_SYS(statfs), 245 }, - { SCMP_SYS(unlink), 245 }, - { SCMP_SYS(wait4), 245 }, - { SCMP_SYS(fcntl64), 245 }, - { SCMP_SYS(fstat64), 245 }, - { SCMP_SYS(stat64), 245 }, - { SCMP_SYS(getgid32), 245 }, - { SCMP_SYS(getegid32), 245 }, - { SCMP_SYS(getuid32), 245 }, - { SCMP_SYS(geteuid32), 245 }, - { SCMP_SYS(sigreturn), 245 }, - { SCMP_SYS(_newselect), 245 }, - { SCMP_SYS(_llseek), 245 }, - { SCMP_SYS(mmap2), 245 }, - { SCMP_SYS(sigprocmask), 245 }, - { SCMP_SYS(sched_getparam), 245 }, - { SCMP_SYS(sched_getscheduler), 245 }, - { SCMP_SYS(fstat), 245 }, - { SCMP_SYS(clock_getres), 245 }, - { SCMP_SYS(sched_get_priority_min), 245 }, - { SCMP_SYS(sched_get_priority_max), 245 }, - { SCMP_SYS(stat), 245 }, - { SCMP_SYS(uname), 245 }, - { SCMP_SYS(eventfd2), 245 }, - { SCMP_SYS(io_getevents), 245 }, - { SCMP_SYS(dup), 245 }, - { SCMP_SYS(dup2), 245 }, - { SCMP_SYS(dup3), 245 }, - { SCMP_SYS(gettid), 245 }, - { SCMP_SYS(getgid), 245 }, - { SCMP_SYS(getegid), 245 }, - { SCMP_SYS(getuid), 245 }, - { SCMP_SYS(geteuid), 245 }, - { SCMP_SYS(timer_create), 245 }, - { SCMP_SYS(times), 245 }, - { SCMP_SYS(exit), 245 }, - { SCMP_SYS(clock_gettime), 245 }, - { SCMP_SYS(time), 245 }, - { SCMP_SYS(restart_syscall), 245 }, - { SCMP_SYS(pwrite64), 245 }, - { SCMP_SYS(nanosleep), 245 }, - { SCMP_SYS(chown), 245 }, - { SCMP_SYS(openat), 245 }, - { SCMP_SYS(getdents), 245 }, - { SCMP_SYS(timer_delete), 245 }, - { SCMP_SYS(exit_group), 245 }, - { SCMP_SYS(rt_sigreturn), 245 }, - { SCMP_SYS(sync), 245 }, - { SCMP_SYS(pread64), 245 }, - { SCMP_SYS(madvise), 245 }, - { SCMP_SYS(set_robust_list), 245 }, - { SCMP_SYS(lseek), 245 }, - { SCMP_SYS(pselect6), 245 }, - { SCMP_SYS(fork), 245 }, - { SCMP_SYS(rt_sigprocmask), 245 }, - { SCMP_SYS(write), 244 }, - { SCMP_SYS(fcntl), 243 }, - { SCMP_SYS(tgkill), 242 }, - { SCMP_SYS(kill), 242 }, - { SCMP_SYS(rt_sigaction), 242 }, - { SCMP_SYS(pipe2), 242 }, - { SCMP_SYS(munmap), 242 }, - { SCMP_SYS(mremap), 242 }, - { SCMP_SYS(fdatasync), 242 }, - { SCMP_SYS(close), 242 }, - { SCMP_SYS(rt_sigpending), 242 }, - { SCMP_SYS(rt_sigtimedwait), 242 }, - { SCMP_SYS(readv), 242 }, - { SCMP_SYS(writev), 242 }, - { SCMP_SYS(preadv), 242 }, - { SCMP_SYS(pwritev), 242 }, - { SCMP_SYS(setrlimit), 242 }, - { SCMP_SYS(ftruncate), 242 }, - { SCMP_SYS(lstat), 242 }, - { SCMP_SYS(pipe), 242 }, - { SCMP_SYS(umask), 242 }, - { SCMP_SYS(chdir), 242 }, - { SCMP_SYS(setitimer), 242 }, - { SCMP_SYS(setsid), 242 }, - { SCMP_SYS(poll), 242 }, - { SCMP_SYS(epoll_create), 242 }, - { SCMP_SYS(epoll_ctl), 242 }, - { SCMP_SYS(epoll_wait), 242 }, - { SCMP_SYS(waitpid), 242 }, - { SCMP_SYS(getsockname), 242 }, - { SCMP_SYS(getpeername), 242 }, - { SCMP_SYS(accept4), 242 }, - { SCMP_SYS(timerfd_settime), 242 }, - { SCMP_SYS(newfstatat), 241 }, - { SCMP_SYS(shutdown), 241 }, - { SCMP_SYS(getsockopt), 241 }, - { SCMP_SYS(semop), 241 }, - { SCMP_SYS(semtimedop), 241 }, - { SCMP_SYS(epoll_ctl_old), 241 }, - { SCMP_SYS(epoll_wait_old), 241 }, - { SCMP_SYS(epoll_pwait), 241 }, - { SCMP_SYS(epoll_create1), 241 }, - { SCMP_SYS(ppoll), 241 }, - { SCMP_SYS(creat), 241 }, - { SCMP_SYS(link), 241 }, - { SCMP_SYS(getpid), 241 }, - { SCMP_SYS(getppid), 241 }, - { SCMP_SYS(getpgrp), 241 }, - { SCMP_SYS(getpgid), 241 }, - { SCMP_SYS(getsid), 241 }, - { SCMP_SYS(getdents64), 241 }, - { SCMP_SYS(getresuid), 241 }, - { SCMP_SYS(getresgid), 241 }, - { SCMP_SYS(getgroups), 241 }, - { SCMP_SYS(getresuid32), 241 }, - { SCMP_SYS(getresgid32), 241 }, - { SCMP_SYS(getgroups32), 241 }, - { SCMP_SYS(signal), 241 }, - { SCMP_SYS(sigaction), 241 }, - { SCMP_SYS(sigsuspend), 241 }, - { SCMP_SYS(sigpending), 241 }, - { SCMP_SYS(truncate64), 241 }, - { SCMP_SYS(ftruncate64), 241 }, - { SCMP_SYS(fchown32), 241 }, - { SCMP_SYS(chown32), 241 }, - { SCMP_SYS(lchown32), 241 }, - { SCMP_SYS(statfs64), 241 }, - { SCMP_SYS(fstatfs64), 241 }, - { SCMP_SYS(fstatat64), 241 }, - { SCMP_SYS(lstat64), 241 }, - { SCMP_SYS(sendfile64), 241 }, - { SCMP_SYS(ugetrlimit), 241 }, - { SCMP_SYS(alarm), 241 }, - { SCMP_SYS(rt_sigsuspend), 241 }, - { SCMP_SYS(rt_sigqueueinfo), 241 }, - { SCMP_SYS(rt_tgsigqueueinfo), 241 }, - { SCMP_SYS(sigaltstack), 241 }, - { SCMP_SYS(signalfd4), 241 }, - { SCMP_SYS(truncate), 241 }, - { SCMP_SYS(fchown), 241 }, - { SCMP_SYS(lchown), 241 }, - { SCMP_SYS(fchownat), 241 }, - { SCMP_SYS(fstatfs), 241 }, - { SCMP_SYS(getitimer), 241 }, - { SCMP_SYS(syncfs), 241 }, - { SCMP_SYS(fsync), 241 }, - { SCMP_SYS(fchdir), 241 }, - { SCMP_SYS(msync), 241 }, - { SCMP_SYS(sched_setparam), 241 }, - { SCMP_SYS(sched_setscheduler), 241 }, - { SCMP_SYS(sched_yield), 241 }, - { SCMP_SYS(sched_rr_get_interval), 241 }, - { SCMP_SYS(sched_setaffinity), 241 }, - { SCMP_SYS(sched_getaffinity), 241 }, - { SCMP_SYS(readahead), 241 }, - { SCMP_SYS(timer_getoverrun), 241 }, - { SCMP_SYS(unlinkat), 241 }, - { SCMP_SYS(readlinkat), 241 }, - { SCMP_SYS(faccessat), 241 }, - { SCMP_SYS(get_robust_list), 241 }, - { SCMP_SYS(splice), 241 }, - { SCMP_SYS(vmsplice), 241 }, - { SCMP_SYS(getcpu), 241 }, - { SCMP_SYS(sendmmsg), 241 }, - { SCMP_SYS(recvmmsg), 241 }, - { SCMP_SYS(prlimit64), 241 }, - { SCMP_SYS(waitid), 241 }, - { SCMP_SYS(io_cancel), 241 }, - { SCMP_SYS(io_setup), 241 }, - { SCMP_SYS(io_destroy), 241 }, - { SCMP_SYS(arch_prctl), 240 }, - { SCMP_SYS(mkdir), 240 }, - { SCMP_SYS(fchmod), 240 }, - { SCMP_SYS(shmget), 240 }, - { SCMP_SYS(shmat), 240 }, - { SCMP_SYS(shmdt), 240 }, - { SCMP_SYS(timerfd_create), 240 }, - { SCMP_SYS(shmctl), 240 }, - { SCMP_SYS(mlockall), 240 }, - { SCMP_SYS(mlock), 240 }, - { SCMP_SYS(munlock), 240 }, - { SCMP_SYS(semctl), 240 }, - { SCMP_SYS(fallocate), 240 }, - { SCMP_SYS(fadvise64), 240 }, - { SCMP_SYS(inotify_init1), 240 }, - { SCMP_SYS(inotify_add_watch), 240 }, - { SCMP_SYS(mbind), 240 }, - { SCMP_SYS(memfd_create), 240 }, -#ifdef HAVE_CACHEFLUSH - { SCMP_SYS(cacheflush), 240 }, -#endif - { SCMP_SYS(sysinfo), 240 }, +static const struct QemuSeccompSyscall blacklist[] =3D { + /* default set of syscalls to blacklist */ + { SCMP_SYS(reboot), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(swapon), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(swapoff), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(syslog), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(mount), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(umount), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(kexec_load), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(afs_syscall), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(break), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(ftime), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(getpmsg), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(gtty), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(lock), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(mpx), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(prof), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(profil), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(putpmsg), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(security), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(stty), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(tuxcall), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(ulimit), QEMU_SECCOMP_SET_DEFAULT }, + { SCMP_SYS(vserver), QEMU_SECCOMP_SET_DEFAULT }, }; =20 int seccomp_start(void) @@ -262,19 +63,14 @@ int seccomp_start(void) unsigned int i =3D 0; scmp_filter_ctx ctx; =20 - ctx =3D seccomp_init(SCMP_ACT_KILL); + ctx =3D seccomp_init(SCMP_ACT_ALLOW); if (ctx =3D=3D NULL) { rc =3D -1; goto seccomp_return; } =20 - for (i =3D 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { - rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].= num, 0); - if (rc < 0) { - goto seccomp_return; - } - rc =3D seccomp_syscall_priority(ctx, seccomp_whitelist[i].num, - seccomp_whitelist[i].priority); + for (i =3D 0; i < ARRAY_SIZE(blacklist); i++) { + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; } diff --git a/vl.c b/vl.c index fb1f05b937..76e0b3a946 100644 --- a/vl.c +++ b/vl.c @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt) =20 static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) { - /* FIXME: change this to true for 1.3 */ if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP if (seccomp_start() < 0) { --=20 2.13.5 From nobody Thu Apr 25 04:09:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1505466136982418.1470812898963; Fri, 15 Sep 2017 02:02:16 -0700 (PDT) Received: from localhost ([::1]:52067 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmVs-000473-0E for importer@patchew.org; Fri, 15 Sep 2017 05:02:16 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38808) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmCV-0000Ug-0G for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsmCT-00033o-TV for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:15 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53230) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsmCT-00031y-Gl for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:13 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5EDA2883D1; Fri, 15 Sep 2017 08:42:12 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-68.ams2.redhat.com [10.36.117.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id E828C66D26; Fri, 15 Sep 2017 08:42:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5EDA2883D1 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=otubo@redhat.com From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 15 Sep 2017 10:41:35 +0200 Message-Id: <20170915084139.4481-3-otubo@redhat.com> In-Reply-To: <20170915084139.4481-1-otubo@redhat.com> References: <20170915084139.4481-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 15 Sep 2017 08:42:12 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 02/06] seccomp: add obsolete argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Fam Zheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch introduces the argument [,obsolete=3Dallow] to the `-sandbox on' option. It allows Qemu to run safely on old system that still relies on old system calls. Signed-off-by: Eduardo Otubo Reviewed-by: Thomas Huth Reviewed-by: Daniel P. Berrange --- include/sysemu/seccomp.h | 3 ++- qemu-options.hx | 12 ++++++++++-- qemu-seccomp.c | 19 ++++++++++++++++++- vl.c | 24 +++++++++++++++++++++++- 4 files changed, 53 insertions(+), 5 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 23b9c3c789..215138a372 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -16,8 +16,9 @@ #define QEMU_SECCOMP_H =20 #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) +#define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) =20 #include =20 -int seccomp_start(void); +int seccomp_start(uint32_t seccomp_opts); #endif diff --git a/qemu-options.hx b/qemu-options.hx index 9f6e2adfff..72150c6b84 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4017,13 +4017,21 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox Enable seccomp mode 2 system call filter (default 'of= f').\n", + "-sandbox on[,obsolete=3Dallow|deny]\n" \ + " Enable seccomp mode 2 system call filter (default 'of= f').\n" \ + " use 'obsolete' to allow obsolete system calls that ar= e provided\n" \ + " by the kernel, but typically no longer used by mo= dern\n" \ + " C library implementations.\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg} +@item -sandbox @var{arg}[,obsolete=3D@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filteri= ng and 'off' will disable it. The default is 'off'. +@table @option +@item obsolete=3D@var{string} +Enable Obsolete system calls +@end table ETEXI =20 DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig, diff --git a/qemu-seccomp.c b/qemu-seccomp.c index f66613fc71..8a5fbd2ff1 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -55,9 +55,22 @@ static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(tuxcall), QEMU_SECCOMP_SET_DEFAULT }, { SCMP_SYS(ulimit), QEMU_SECCOMP_SET_DEFAULT }, { SCMP_SYS(vserver), QEMU_SECCOMP_SET_DEFAULT }, + /* obsolete */ + { SCMP_SYS(readdir), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(_sysctl), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(bdflush), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(create_module), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(get_kernel_syms), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(query_module), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(sgetmask), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(ssetmask), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(sysfs), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(uselib), QEMU_SECCOMP_SET_OBSOLETE }, + { SCMP_SYS(ustat), QEMU_SECCOMP_SET_OBSOLETE }, }; =20 -int seccomp_start(void) + +int seccomp_start(uint32_t seccomp_opts) { int rc =3D 0; unsigned int i =3D 0; @@ -70,6 +83,10 @@ int seccomp_start(void) } =20 for (i =3D 0; i < ARRAY_SIZE(blacklist); i++) { + if (!(seccomp_opts & blacklist[i].set)) { + continue; + } + rc =3D seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0); if (rc < 0) { goto seccomp_return; diff --git a/vl.c b/vl.c index 76e0b3a946..57c5e93c1a 100644 --- a/vl.c +++ b/vl.c @@ -271,6 +271,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "enable", .type =3D QEMU_OPT_BOOL, }, + { + .name =3D "obsolete", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1034,7 +1038,25 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) { if (qemu_opt_get_bool(opts, "enable", false)) { #ifdef CONFIG_SECCOMP - if (seccomp_start() < 0) { + uint32_t seccomp_opts =3D QEMU_SECCOMP_SET_DEFAULT + | QEMU_SECCOMP_SET_OBSOLETE; + const char *value =3D NULL; + + value =3D qemu_opt_get(opts, "obsolete"); + if (value) { + if (g_str_equal(value, "allow")) { + seccomp_opts &=3D ~QEMU_SECCOMP_SET_OBSOLETE; + } else if (g_str_equal(value, "deny")) { + /* this is the default option, this if is here + * to provide a little bit of consistency for + * the command line */ + } else { + error_report("invalid argument for obsolete"); + return -1; + } + } + + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); return -1; --=20 2.13.5 From nobody Thu Apr 25 04:09:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1505466268117582.4416650730778; Fri, 15 Sep 2017 02:04:28 -0700 (PDT) Received: from localhost ([::1]:52082 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmXz-0006nm-9h for importer@patchew.org; Fri, 15 Sep 2017 05:04:27 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38840) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmCX-0000Wy-7D for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsmCV-00039S-VL for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:17 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52522) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsmCV-00037n-MN for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:15 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B01FD7E421; Fri, 15 Sep 2017 08:42:14 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-68.ams2.redhat.com [10.36.117.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id CB8E463759; Fri, 15 Sep 2017 08:42:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B01FD7E421 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=otubo@redhat.com From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 15 Sep 2017 10:41:36 +0200 Message-Id: <20170915084139.4481-4-otubo@redhat.com> In-Reply-To: <20170915084139.4481-1-otubo@redhat.com> References: <20170915084139.4481-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Fri, 15 Sep 2017 08:42:14 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 03/06] seccomp: add elevateprivileges argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Fam Zheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch introduces the new argument [,elevateprivileges=3Dallow|deny|children] to the `-sandbox on'. It allows or denies Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls. The 'children' option will let forks and execves run unprivileged. Signed-off-by: Eduardo Otubo Reviewed-by: Thomas Huth Reviewed-by: Daniel P. Berrange --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 12 +++++++++--- qemu-seccomp.c | 11 +++++++++++ vl.c | 27 +++++++++++++++++++++++++++ 4 files changed, 48 insertions(+), 3 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 215138a372..4a9e63c7cd 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -17,6 +17,7 @@ =20 #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) +#define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 72150c6b84..5c1b163fb5 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4017,20 +4017,26 @@ Old param mode (ARM only). ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ - "-sandbox on[,obsolete=3Dallow|deny]\n" \ + "-sandbox on[,obsolete=3Dallow|deny][,elevateprivileges=3Dallow|deny|c= hildren]\n" \ " Enable seccomp mode 2 system call filter (default 'of= f').\n" \ " use 'obsolete' to allow obsolete system calls that ar= e provided\n" \ " by the kernel, but typically no longer used by mo= dern\n" \ - " C library implementations.\n", + " C library implementations.\n" \ + " use 'elevateprivileges' to allow or deny QEMU process= to elevate\n" \ + " its privileges by blacklisting all set*uid|gid sy= stem calls.\n" \ + " The value 'children' will deny set*uid|gid system= calls for\n" \ + " main QEMU process but will allow forks and execve= s to run unprivileged\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=3D@var{string}] +@item -sandbox @var{arg}[,obsolete=3D@var{string}][,elevateprivileges=3D@v= ar{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filteri= ng and 'off' will disable it. The default is 'off'. @table @option @item obsolete=3D@var{string} Enable Obsolete system calls +@item elevateprivileges=3D@var{string} +Disable set*uid|gid system calls @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 8a5fbd2ff1..978d66bd28 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -67,6 +67,17 @@ static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(sysfs), QEMU_SECCOMP_SET_OBSOLETE }, { SCMP_SYS(uselib), QEMU_SECCOMP_SET_OBSOLETE }, { SCMP_SYS(ustat), QEMU_SECCOMP_SET_OBSOLETE }, + /* privileged */ + { SCMP_SYS(setuid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setgid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setpgid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setsid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setreuid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setregid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setresuid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED }, + { SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED }, }; =20 =20 diff --git a/vl.c b/vl.c index 57c5e93c1a..d59b560276 100644 --- a/vl.c +++ b/vl.c @@ -29,6 +29,7 @@ =20 #ifdef CONFIG_SECCOMP #include "sysemu/seccomp.h" +#include "sys/prctl.h" #endif =20 #if defined(CONFIG_VDE) @@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "obsolete", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "elevateprivileges", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1056,6 +1061,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts, "elevateprivileges"); + if (value) { + if (g_str_equal(value, "deny")) { + seccomp_opts |=3D QEMU_SECCOMP_SET_PRIVILEGED; + } else if (g_str_equal(value, "children")) { + seccomp_opts |=3D QEMU_SECCOMP_SET_PRIVILEGED; + + /* calling prctl directly because we're + * not sure if host has CAP_SYS_ADMIN set*/ + if (prctl(PR_SET_NO_NEW_PRIVS, 1)) { + error_report("failed to set no_new_privs " + "aborting"); + return -1; + } + } else if (g_str_equal(value, "allow")) { + /* default value */ + } else { + error_report("invalid argument for elevateprivileges"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.13.5 From nobody Thu Apr 25 04:09:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1505465495070297.9219101348202; Fri, 15 Sep 2017 01:51:35 -0700 (PDT) Received: from localhost ([::1]:52001 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmLV-0001DS-E9 for importer@patchew.org; Fri, 15 Sep 2017 04:51:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38896) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmCb-0000b0-Cd for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsmCY-0003C2-9o for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:21 -0400 Received: from mx1.redhat.com ([209.132.183.28]:37134) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsmCY-0003Ah-0i for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:18 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 044D14E909; Fri, 15 Sep 2017 08:42:17 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-68.ams2.redhat.com [10.36.117.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id 33A945C578; Fri, 15 Sep 2017 08:42:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 044D14E909 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=otubo@redhat.com From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 15 Sep 2017 10:41:37 +0200 Message-Id: <20170915084139.4481-5-otubo@redhat.com> In-Reply-To: <20170915084139.4481-1-otubo@redhat.com> References: <20170915084139.4481-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 15 Sep 2017 08:42:17 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 04/06] seccomp: add spawn argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Fam Zheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds [,spawn=3Ddeny] argument to `-sandbox on' option. It blacklists fork and execve system calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo Reviewed-by: Thomas Huth Reviewed-by: Daniel P. Berrange --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 9 +++++++-- qemu-seccomp.c | 4 ++++ vl.c | 16 ++++++++++++++++ 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 4a9e63c7cd..3ab5fc4f61 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -18,6 +18,7 @@ #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 5c1b163fb5..2b04b9f170 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4018,6 +4018,7 @@ ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "-sandbox on[,obsolete=3Dallow|deny][,elevateprivileges=3Dallow|deny|c= hildren]\n" \ + " [,spawn=3Dallow|deny]\n" \ " Enable seccomp mode 2 system call filter (default 'of= f').\n" \ " use 'obsolete' to allow obsolete system calls that ar= e provided\n" \ " by the kernel, but typically no longer used by mo= dern\n" \ @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ " use 'elevateprivileges' to allow or deny QEMU process= to elevate\n" \ " its privileges by blacklisting all set*uid|gid sy= stem calls.\n" \ " The value 'children' will deny set*uid|gid system= calls for\n" \ - " main QEMU process but will allow forks and execve= s to run unprivileged\n", + " main QEMU process but will allow forks and execve= s to run unprivileged\n" \ + " use 'spawn' to avoid QEMU to spawn new threads or pro= cesses by\n" \ + " blacklisting *fork and execve\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=3D@var{string}][,elevateprivileges=3D@v= ar{string}] +@item -sandbox @var{arg}[,obsolete=3D@var{string}][,elevateprivileges=3D@v= ar{string}][,spawn=3D@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filteri= ng and 'off' will disable it. The default is 'off'. @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. Enable Obsolete system calls @item elevateprivileges=3D@var{string} Disable set*uid|gid system calls +@item spawn=3D@var{string} +Disable *fork and execve @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 978d66bd28..f3878a5e29 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -78,6 +78,10 @@ static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED }, + /* spawn */ + { SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN }, + { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN }, }; =20 =20 diff --git a/vl.c b/vl.c index d59b560276..984db0c399 100644 --- a/vl.c +++ b/vl.c @@ -280,6 +280,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "elevateprivileges", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "spawn", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1083,6 +1087,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts, "spawn"); + if (value) { + if (g_str_equal(value, "deny")) { + seccomp_opts |=3D QEMU_SECCOMP_SET_SPAWN; + } else if (g_str_equal(value, "allow")) { + /* default value */ + } else { + error_report("invalid argument for spawn"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.13.5 From nobody Thu Apr 25 04:09:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1505465710207282.5340635742789; Fri, 15 Sep 2017 01:55:10 -0700 (PDT) Received: from localhost ([::1]:52014 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmOz-0005D5-9h for importer@patchew.org; Fri, 15 Sep 2017 04:55:09 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38895) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmCb-0000az-CN for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsmCa-0003FE-6f for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:21 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49298) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsmCZ-0003EG-U8 for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:20 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0116B821C3; Fri, 15 Sep 2017 08:42:19 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-68.ams2.redhat.com [10.36.117.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id 67B3B5C578; Fri, 15 Sep 2017 08:42:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0116B821C3 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=otubo@redhat.com From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 15 Sep 2017 10:41:38 +0200 Message-Id: <20170915084139.4481-6-otubo@redhat.com> In-Reply-To: <20170915084139.4481-1-otubo@redhat.com> References: <20170915084139.4481-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 15 Sep 2017 08:42:19 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 05/06] seccomp: add resourcecontrol argument to command line X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Fam Zheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch adds [,resourcecontrol=3Ddeny] to `-sandbox on' option. It blacklists all process affinity and scheduler priority system calls to avoid any bigger of the process. Signed-off-by: Eduardo Otubo Reviewed-by: Thomas Huth Reviewed-by: Daniel P. Berrange --- include/sysemu/seccomp.h | 1 + qemu-options.hx | 9 ++++++--- qemu-seccomp.c | 11 +++++++++++ vl.c | 16 ++++++++++++++++ 4 files changed, 34 insertions(+), 3 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 3ab5fc4f61..e67c2dc840 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -19,6 +19,7 @@ #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1) #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) #define QEMU_SECCOMP_SET_SPAWN (1 << 3) +#define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4) =20 #include =20 diff --git a/qemu-options.hx b/qemu-options.hx index 2b04b9f170..600614f6e5 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4018,7 +4018,7 @@ ETEXI =20 DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "-sandbox on[,obsolete=3Dallow|deny][,elevateprivileges=3Dallow|deny|c= hildren]\n" \ - " [,spawn=3Dallow|deny]\n" \ + " [,spawn=3Dallow|deny][,resourcecontrol=3Dallow|deny]\n" \ " Enable seccomp mode 2 system call filter (default 'of= f').\n" \ " use 'obsolete' to allow obsolete system calls that ar= e provided\n" \ " by the kernel, but typically no longer used by mo= dern\n" \ @@ -4028,10 +4028,11 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ " The value 'children' will deny set*uid|gid system= calls for\n" \ " main QEMU process but will allow forks and execve= s to run unprivileged\n" \ " use 'spawn' to avoid QEMU to spawn new threads or pro= cesses by\n" \ - " blacklisting *fork and execve\n", + " blacklisting *fork and execve\n" \ + " use 'resourcecontrol' to disable process affinity and= schedular priority\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=3D@var{string}][,elevateprivileges=3D@v= ar{string}][,spawn=3D@var{string}] +@item -sandbox @var{arg}[,obsolete=3D@var{string}][,elevateprivileges=3D@v= ar{string}][,spawn=3D@var{string}][,resourcecontrol=3D@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filteri= ng and 'off' will disable it. The default is 'off'. @@ -4042,6 +4043,8 @@ Enable Obsolete system calls Disable set*uid|gid system calls @item spawn=3D@var{string} Disable *fork and execve +@item resourcecontrol=3D@var{string} +Disable process affinity and schedular priority @end table ETEXI =20 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index f3878a5e29..b770a77d33 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -82,6 +82,17 @@ static const struct QemuSeccompSyscall blacklist[] =3D { { SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN }, { SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN }, { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN }, + /* resource control */ + { SCMP_SYS(getpriority), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setparam), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getparam), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setscheduler), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getscheduler), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_setaffinity), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_getaffinity), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_get_priority_max), QEMU_SECCOMP_SET_RESOURCECTL }, + { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL }, }; =20 =20 diff --git a/vl.c b/vl.c index 984db0c399..9e62e92aea 100644 --- a/vl.c +++ b/vl.c @@ -284,6 +284,10 @@ static QemuOptsList qemu_sandbox_opts =3D { .name =3D "spawn", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "resourcecontrol", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -1099,6 +1103,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opt= s, Error **errp) } } =20 + value =3D qemu_opt_get(opts, "resourcecontrol"); + if (value) { + if (g_str_equal(value, "deny")) { + seccomp_opts |=3D QEMU_SECCOMP_SET_RESOURCECTL; + } else if (g_str_equal(value, "allow")) { + /* default value */ + } else { + error_report("invalid argument for resourcecontrol"); + return -1; + } + } + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); --=20 2.13.5 From nobody Thu Apr 25 04:09:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1505465263020355.6654661285911; Fri, 15 Sep 2017 01:47:43 -0700 (PDT) Received: from localhost ([::1]:51981 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmHl-000650-Bz for importer@patchew.org; Fri, 15 Sep 2017 04:47:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38937) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsmCd-0000d0-DR for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsmCc-0003Hj-AD for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:23 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44568) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsmCc-0003HF-4Q for qemu-devel@nongnu.org; Fri, 15 Sep 2017 04:42:22 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 344C281DEA; Fri, 15 Sep 2017 08:42:21 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-68.ams2.redhat.com [10.36.117.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id 51D5566829; Fri, 15 Sep 2017 08:42:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 344C281DEA Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=otubo@redhat.com From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Fri, 15 Sep 2017 10:41:39 +0200 Message-Id: <20170915084139.4481-7-otubo@redhat.com> In-Reply-To: <20170915084139.4481-1-otubo@redhat.com> References: <20170915084139.4481-1-otubo@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 15 Sep 2017 08:42:21 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 06/06] buildsys: Move seccomp cflags/libs to per object X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Thomas Huth , Fam Zheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Fam Zheng Like many other libraries, libseccomp cflags and libs should only apply to the building of necessary objects. Do so in the usual way with the help of per object variables. Signed-off-by: Fam Zheng Acked-by: Eduardo Otubo --- Makefile.objs | 2 ++ configure | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Makefile.objs b/Makefile.objs index 24a4ea08b8..d9cf7ad791 100644 --- a/Makefile.objs +++ b/Makefile.objs @@ -70,6 +70,8 @@ common-obj-y +=3D backends/ common-obj-y +=3D chardev/ =20 common-obj-$(CONFIG_SECCOMP) +=3D qemu-seccomp.o +qemu-seccomp.o-cflags :=3D $(SECCOMP_CFLAGS) +qemu-seccomp.o-libs :=3D $(SECCOMP_LIBS) =20 common-obj-$(CONFIG_FDT) +=3D device_tree.o =20 diff --git a/configure b/configure index 9ee4559b54..94db2d103e 100755 --- a/configure +++ b/configure @@ -2035,8 +2035,8 @@ if test "$seccomp" !=3D "no" ; then =20 if test "$libseccomp_minver" !=3D "" && $pkg_config --atleast-version=3D$libseccomp_minver libseccomp ; then - libs_softmmu=3D"$libs_softmmu $($pkg_config --libs libseccomp)" - QEMU_CFLAGS=3D"$QEMU_CFLAGS $($pkg_config --cflags libseccomp)" + seccomp_cflags=3D"$($pkg_config --cflags libseccomp)" + seccomp_libs=3D"$($pkg_config --libs libseccomp)" seccomp=3D"yes" else if test "$seccomp" =3D "yes" ; then @@ -5829,6 +5829,8 @@ fi =20 if test "$seccomp" =3D "yes"; then echo "CONFIG_SECCOMP=3Dy" >> $config_host_mak + echo "SECCOMP_CFLAGS=3D$seccomp_cflags" >> $config_host_mak + echo "SECCOMP_LIBS=3D$seccomp_libs" >> $config_host_mak fi =20 # XXX: suppress that --=20 2.13.5