[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCHv4 0/4] Sandboxing Qemu guests with Libseccomp

From: Eduardo Otubo
Subject: [Qemu-devel] [PATCHv4 0/4] Sandboxing Qemu guests with Libseccomp
Date: Tue, 17 Jul 2012 16:19:11 -0300

Hello all,

This patch is an effort to sandbox Qemu guests using Libseccomp[0]. The patches
that follows are pretty simple and straightforward. I added the correct options
and checks to the configure script and the basic calls to libseccomp in the
main loop at vl.c. Details of each one are in the emails of the patch set.

This support limits the system call footprint of the entire QEMU process to a
limited set of syscalls, those that we know QEMU uses. The idea is to limit the
allowable syscalls, therefore limiting the impact that an attacked guest could
have on the host system.

It's important to note that the libseccomp itself needs the seccomp mode 2
feature in the kernel, which is only available in kernel versions older (or
equal) than 3.5-rc1.

v2: Files separated in qemu-seccomp.c and qemu-seccomp.h for a cleaner
    implementation. The development was tested with the 3.5-rc1 kernel.

v3: As we discussed in previous emails in this mailing list, this feature is
    not supposed to replace existing security feature, but add another layer to
    the whole. The whitelist should contain all the syscalls QEMU needs. And as
    stated by Will Drewry's commit message[1]: "Filter programs will be 
    across fork/clone and execve.", the same white list should be passed along 
    the father process to the child, then execve() shouldn't be a problem. Note
    that there's a feature PR_SET_NO_NEW_PRIVS in seccomp mode 2 in the kernel,
    this prevents processes from gaining privileges on execve. For example, this
    will prevent qemu (if running unprivileged) from executing setuid 

v4: Introducing "debug" mode on libseccomp support. The "debug" mode will set
    the flag SCMP_ACT_TRAP when calling seccomp_start(). It will verbosely
    print a message to the stderr in the form "seccomp: illegal system call
    execution trapped: XXX" and resume the execution. This is really just used 
    debug mode, it helps users and developers to full fill the whitelist.

As always, comments are more than welcome.


[0] - http://sourceforge.net/projects/libseccomp/
[1] - 
[2] - https://lkml.org/lkml/2012/4/12/457

Eduardo Otubo (4):
  Adding support for libseccomp in configure and Makefile
  Adding qemu-seccomp.[ch]
  Adding qemu-seccomp-debug.[ch]
  Adding seccomp calls to vl.c

 Makefile.objs        |   10 ++++
 configure            |   34 ++++++++++++++
 qemu-seccomp-debug.c |   95 +++++++++++++++++++++++++++++++++++++
 qemu-seccomp-debug.h |   38 +++++++++++++++
 qemu-seccomp.c       |  126 ++++++++++++++++++++++++++++++++++++++++++++++++++
 qemu-seccomp.h       |   22 +++++++++
 vl.c                 |   31 +++++++++++++
 7 files changed, 356 insertions(+)
 create mode 100644 qemu-seccomp-debug.c
 create mode 100644 qemu-seccomp-debug.h
 create mode 100644 qemu-seccomp.c
 create mode 100644 qemu-seccomp.h


reply via email to

[Prev in Thread] Current Thread [Next in Thread]