On Fri, Apr 13, 2018 at 10:08:34AM -0400, John Ferlan wrote: > > > On 04/10/2018 10:49 AM, Ján Tomko wrote: > > If QEMU uses a seccomp blacklist (since 2.11), -sandbox on > > no longer tries to whitelist all the calls, but uses sets > > of blacklists: > > default (always blacklisted with -sandbox on) > > obsolete (defaults to deny) > > elevateprivileges (setuid & co, default: allow) > > spawn (fork & execve, default: allow) > > resourcecontrol (setaffinity, setscheduler, default: allow) > > > > If these are supported, default to sandbox with all four > > categories blacklisted. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1492597 > > > > Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx> > > --- > > src/qemu/qemu.conf | 7 +++--- > > src/qemu/qemu_command.c | 10 +++++++++ > > tests/qemuxml2argvdata/minimal-sandbox.args | 29 ++++++++++++++++++++++++ > > tests/qemuxml2argvdata/minimal-sandbox.xml | 34 +++++++++++++++++++++++++++++ > > tests/qemuxml2argvtest.c | 11 ++++++++++ > > 5 files changed, 88 insertions(+), 3 deletions(-) > > create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args > > create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml > > > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > > index 07eab7eff..740129cf5 100644 > > --- a/src/qemu/qemu.conf > > +++ b/src/qemu/qemu.conf > > @@ -669,9 +669,10 @@ > > > > > > > > -# Use seccomp syscall whitelisting in QEMU. > > -# 1 = on, 0 = off, -1 = use QEMU default > > -# Defaults to -1. > > +# Use seccomp syscall sandbox in QEMU. > > +# 1 = on, 0 = off, -1 = use the default > > +# For QEMUs using a whitelist, the default (-1) is off. > > +# For QEMUs using a blacklist, the default (-1) is on. > > Not sure it's even possible to provide any sort of details, but suffice > to say the description here is really lacking. One of those things that > if you know and care, then you use, if you don't you ignore. Maybe it's > just me being dense ;-). > > Still if someone supplies 0 or 1 does that now mean the opposite of what > it did before 2.11? That is if I had this set to 1 in my qemu.conf - > does that mean that now I'm using a blacklist instead of a whitelist? Yes, setting this to '1' just means "enable use of seccomp". We explicitly never defined what kind of seccomp rules would be enabled - only that something seccomp related is on. Whether its a blacklist or a whitelist is a low level impl detail that we don't expect users to care about. > As an Admin trying to decipher this - what would each setting mean to me > and if going with the new -1 default, then that means libvirt is going > to set "on" w/ a list of 4 to deny. Essentially the default (-1) means "do the best thing". On old QEMU the best thing was to disable it because it was horribly unreliable with a whitelist. On modern QEMU the best thing is to enable it because the blacklist is much saner Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
