Re: [Qemu-devel] [PATCHv2 3/4] Support for "double whitelist" filters

[Anthony Liguori]

Paul Moore <address@hidden> writes:

> On Tuesday, October 23, 2012 03:55:31 AM Eduardo Otubo wrote:
>> This patch includes a second whitelist right before the main loop. It's
>> a smaller and more restricted whitelist, excluding execve() among many
>> others.
>> 
>> v2: * ctx changed to main_loop_ctx
>>     * seccomp_on now inside ifdef
>>     * open syscall added to the main_loop whitelist
>> 
>> Signed-off-by: Eduardo Otubo <address@hidden>
>
> Unfortunately qemu.org seems to be down for me today so I can't grab
> the 

qemu.org is up, just having DNS problems.  Use git.qemu-project.org
instead and you should be fine.

Regards,

Anthony Liguori

> latest repo to review/verify this patch (some of my comments/assumptions 
> below 
> may be off) but I'm a little confused, hopefully you guys can help me out, 
> read below ...
>
> The first call to seccomp_install_filter() will setup a whitelist for the 
> syscalls that have been explicitly specified, all others will hit the default 
> action TRAP/KILL.  The second call to seccomp_install_filter() will add a 
> second whitelist for another set of explicitly specified syscalls, all others 
> will hit the default action TRAP/KILL.
>
> The problem occurs when the filters are executed in the kernel when a syscall 
> is executed.  On each syscall the first filter will be executed and the 
> action 
> will either be ALLOW or TRAP/KILL, next the second filter will be executed 
> and 
> the action will either be ALLOW or TRAP/KILL; since the kernel always takes 
> the most restrictive (lowest integer action value) action when multiple 
> filters are specified, I think your double whitelist value is going to have 
> some inherent problems.  I might suggest an initial, fairly permissive 
> whitelist followed by a follow-on blacklist if you want to disable certain 
> syscalls.
>
> -- 
> paul moore
> security and virtualization @ redhat