[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 08/10] seccomp: block setns, unshare and execveat syscalls
From: |
Daniel P . Berrangé |
Subject: |
[PULL 08/10] seccomp: block setns, unshare and execveat syscalls |
Date: |
Thu, 17 Feb 2022 11:57:21 +0000 |
setns/unshare are used to change namespaces which is not something QEMU
needs to be able todo.
execveat is a new variant of execve so should be blocked just like
execve already is.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
softmmu/qemu-seccomp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index a7bb5c350f..deaf8a4ef5 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -248,6 +248,11 @@ static const struct QemuSeccompSyscall denylist[] = {
{ SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN,
0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
#endif
+#ifdef __SNR_execveat
+ { SCMP_SYS(execveat), QEMU_SECCOMP_SET_SPAWN },
+#endif
+ { SCMP_SYS(setns), QEMU_SECCOMP_SET_SPAWN },
+ { SCMP_SYS(unshare), QEMU_SECCOMP_SET_SPAWN },
/* resource control */
{ SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL,
0, NULL, SCMP_ACT_ERRNO(EPERM) },
--
2.34.1
- [PULL 00/10] Misc next patches, Daniel P . Berrangé, 2022/02/17
- [PULL 02/10] block: support sha256 fingerprint with pre-blockdev options, Daniel P . Berrangé, 2022/02/17
- [PULL 01/10] block: better document SSH host key fingerprint checking, Daniel P . Berrangé, 2022/02/17
- [PULL 03/10] block: print the server key type and fingerprint on failure, Daniel P . Berrangé, 2022/02/17
- [PULL 04/10] seccomp: allow action to be customized per syscall, Daniel P . Berrangé, 2022/02/17
- [PULL 07/10] seccomp: block use of clone3 syscall, Daniel P . Berrangé, 2022/02/17
- [PULL 05/10] seccomp: add unit test for seccomp filtering, Daniel P . Berrangé, 2022/02/17
- [PULL 06/10] seccomp: fix blocking of process spawning, Daniel P . Berrangé, 2022/02/17
- [PULL 08/10] seccomp: block setns, unshare and execveat syscalls,
Daniel P . Berrangé <=
- [PULL 09/10] MAINTAINERS: take over seccomp from Eduardo Otubo, Daniel P . Berrangé, 2022/02/17
- [PULL 10/10] docs: expand firmware descriptor to allow flash without NVRAM, Daniel P . Berrangé, 2022/02/17
- Re: [PULL 00/10] Misc next patches, Peter Maydell, 2022/02/18