qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for

From: Corey Bryant
Subject: Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for blacklist
Date: Wed, 11 Sep 2013 12:45:54 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 


On 09/06/2013 03:21 PM, Eduardo Otubo wrote:

New command line options for the seccomp blacklist feature:

  $ qemu -sandbox on[,strict=<on|off>]

The strict parameter will turn on or off the new system call blacklist
I mentioned this before but I'll say it again since I think it needs to be discussed. Since this regresses support (it'll prevent -net bridge and -net tap from using execv) the concern I have with the strict=on|off option is whether or not we will have the flexibility to modify the blacklist once QEMU is released with this support. Of course we should be able to add more syscalls to the blacklist as long as they don't regress QEMU functionality. But if we want to add a syscall that does regress QEMU functionality, I think we'd have to add a new command line option, which doesn't seem desirable.
So a more flexible approach may be necessary. Maybe the blacklist should be passed on the command line, which would enable it to be defined by libvirt and passed to QEMU. I know Paul is working on something for libvirt so maybe that answers this question. 



Signed-off-by: Eduardo Otubo <address@hidden>
---
  qemu-options.hx |  8 +++++---
  vl.c            | 11 ++++++++++-
  2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index d15338e..05485e1 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2978,13 +2978,15 @@ Old param mode (ARM only).
  ETEXI

  DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
-    "-sandbox <arg>  Enable seccomp mode 2 system call filter (default 
'off').\n",
+    "-sandbox <arg>  Enable seccomp mode 2 system call filter (default 
'off').\n"
+    "-sandbox on[,strict=<arg>]\n"
+    "                Enable seccomp mode 2 system call second level filter (default 
'off').\n",


Does this need to mention the QEMU features restricted by the blacklist?


      QEMU_ARCH_ALL)
  STEXI
address@hidden -sandbox @var{arg}
address@hidden -sandbox @var{arg}[,address@hidden
  @findex -sandbox
  Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering 
and 'off' will
-disable it.  The default is 'off'.
+disable it.  The default is 'off'. 'strict=on' will enable second level filter 
(default is 'off').


And here too?


  ETEXI

  DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig,
diff --git a/vl.c b/vl.c
index 02f7486..909f685 100644
--- a/vl.c
+++ b/vl.c
@@ -329,6 +329,9 @@ static QemuOptsList qemu_sandbox_opts = {
          {
              .name = "enable",
              .type = QEMU_OPT_BOOL,
+        },{
+            .name = "strict",
+            .type = QEMU_OPT_STRING,
          },
          { /* end of list */ }
      },
@@ -1031,6 +1034,7 @@ static int bt_parse(const char *opt)

  static int parse_sandbox(QemuOpts *opts, void *opaque)
  {
+    const char * strict_value = NULL;
      /* FIXME: change this to true for 1.3 */
      if (qemu_opt_get_bool(opts, "enable", false)) {
  #ifdef CONFIG_SECCOMP
@@ -1040,7 +1044,12 @@ static int parse_sandbox(QemuOpts *opts, void *opaque)
              return -1;
          }

-        enable_blacklist = true;
+        strict_value = qemu_opt_get(opts, "strict");
+        if (strict_value) {
+            if (!strcmp(strict_value, "on")) {
+                enable_blacklist = true;
+            }
+        }
  #else
          qerror_report(ERROR_CLASS_GENERIC_ERROR,
                        "sandboxing request but seccomp is not compiled into this 
build");



--
Regards,
Corey Bryant
reply via email to
[Prev in Thread] Current Thread [Next in Thread]