On Tue, Apr 10, 2018 at 04:49:42PM +0200, Ján Tomko wrote: > If QEMU uses a seccomp blacklist (since 2.11), -sandbox on > no longer tries to whitelist all the calls, but uses sets > of blacklists: > default (always blacklisted with -sandbox on) > obsolete (defaults to deny) > elevateprivileges (setuid & co, default: allow) > spawn (fork & execve, default: allow) > resourcecontrol (setaffinity, setscheduler, default: allow) > > If these are supported, default to sandbox with all four > categories blacklisted. > > https://bugzilla.redhat.com/show_bug.cgi?id=1492597 > > Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx> > --- > src/qemu/qemu.conf | 7 +++--- > src/qemu/qemu_command.c | 10 +++++++++ > tests/qemuxml2argvdata/minimal-sandbox.args | 29 ++++++++++++++++++++++++ > tests/qemuxml2argvdata/minimal-sandbox.xml | 34 +++++++++++++++++++++++++++++ > tests/qemuxml2argvtest.c | 11 ++++++++++ > 5 files changed, 88 insertions(+), 3 deletions(-) > create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args > create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 07eab7eff..740129cf5 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -669,9 +669,10 @@ > > > > -# Use seccomp syscall whitelisting in QEMU. > -# 1 = on, 0 = off, -1 = use QEMU default > -# Defaults to -1. > +# Use seccomp syscall sandbox in QEMU. > +# 1 = on, 0 = off, -1 = use the default > +# For QEMUs using a whitelist, the default (-1) is off. > +# For QEMUs using a blacklist, the default (-1) is on. I'd suggest rewriting this a bit: # 1 == seccomp enabled, 0 == seccomp disabled # # If it is unset (or -1), then seccomp will be enabled # only if QEMU >= 2.11.0 is detected, otherwise it is # left disabled. This ensures the default config gets # protection for new QEMU using the blacklist approach. > # > #seccomp_sandbox = 1 > > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c > index ba279e640..fa5906d0b 100644 > --- a/src/qemu/qemu_command.c > +++ b/src/qemu/qemu_command.c > @@ -9987,6 +9987,16 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd, > return 0; > } > > + /* Use blacklist by default if supported */ > + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) { > + virCommandAddArgList(cmd, "-sandbox", > + "on,obsolete=deny,elevateprivileges=deny," > + "spawn=deny,resourcecontrol=deny", > + NULL); > + return 0; > + } > + > + /* Seccomp whitelist is opt-in */ > if (cfg->seccompSandbox > 0) > virCommandAddArgList(cmd, "-sandbox", "on", NULL); Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
