[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new secc
|
From: |
Daniel P. Berrange |
|
Subject: |
Re: [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model |
|
Date: |
Fri, 1 Sep 2017 12:03:35 +0100 |
|
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Fri, Sep 01, 2017 at 12:58:18PM +0200, Eduardo Otubo wrote:
> Adding new documentation under docs/ to describe every one and each new
> option added by the refactoring patchset.
>
> Signed-off-by: Eduardo Otubo <address@hidden>
> ---
> docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
> 1 file changed, 31 insertions(+)
> create mode 100644 docs/seccomp.txt
>
> diff --git a/docs/seccomp.txt b/docs/seccomp.txt
> new file mode 100644
> index 0000000000..a5eca85a9b
> --- /dev/null
> +++ b/docs/seccomp.txt
> @@ -0,0 +1,31 @@
> +QEMU Seccomp system call filter
> +===============================
> +
> +Starting from QEMU version 2.11, the seccomp filter does not work as a
> +whitelist but as a blacklist instead. This method allows safer deploys since
> +only the strictly forbidden system calls will be black-listed and the
> +possibility of breaking any workload is close to zero.
> +
> +The default option (-sandbox on) has a slightly looser security though and
> the
> +reason is that it shouldn't break any backwards compatibility with previous
> +deploys and command lines already running. But if the intent is to have a
> +better security from this version on, one should make use of the following
> +additional options properly:
> +
> +* obsolete=allow|deny: It allows Qemu to run safely on old system that still
> + relies on old system calls.
> +
> +* elevateprivileges=allow|deny|children: It allows or denies Qemu process
> + to elevate its privileges by blacklisting all set*uid|gid system calls. The
> + 'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
> + (forks and execs) to run unprivileged.
> +
> +* spawn=allow|deny: It blacklists fork and execve system calls, avoiding
> QEMU to
> + spawn new threads or processes.
> +
> +* resourcecontrol=allow|deny: It blacklists all process affinity and
> scheduler
> + priority system calls to avoid that the process can increase its amount of
> + allowed resource consumption.
> +
This ought to be part of qemu-options.hx so it makes it into the qemu
docs & man page.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges argument to command line, (continued)
- [Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol argument to command line, Eduardo Otubo, 2017/09/01
- [Qemu-devel] [PATCHv4 4/6] seccomp: add spawn argument to command line, Eduardo Otubo, 2017/09/01
- [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model, Eduardo Otubo, 2017/09/01
- Re: [Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new seccomp model,
Daniel P. Berrange <=
- Re: [Qemu-devel] [PATCHv4 0/6] seccomp: feature refactoring, no-reply, 2017/09/01