Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/808627/?format=api
{ "id": 808627, "url": "http://patchwork.ozlabs.org/api/patches/808627/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-4-otubo@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170901105818.31956-4-otubo@redhat.com>", "list_archive_url": null, "date": "2017-09-01T10:58:15", "name": "[PATCHv4,3/6] seccomp: add elevateprivileges argument to command line", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "19d02e79c0e1c27ca35416232d38073787379f10", "submitter": { "id": 71779, "url": "http://patchwork.ozlabs.org/api/people/71779/?format=api", "name": "Eduardo Otubo", "email": "otubo@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-4-otubo@redhat.com/mbox/", "series": [ { "id": 999, "url": "http://patchwork.ozlabs.org/api/series/999/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=999", "date": "2017-09-01T10:58:12", "name": "seccomp: feature refactoring", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/999/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/808627/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/808627/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)", "ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com", "ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com" ], "Received": [ "from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xkGTY4tbMz9s7p\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 1 Sep 2017 20:59:29 +1000 (AEST)", "from localhost ([::1]:35133 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dnjfb-0000Di-NX\n\tfor incoming@patchwork.ozlabs.org; Fri, 01 Sep 2017 06:59:27 -0400", "from eggs.gnu.org ([2001:4830:134:3::10]:51249)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjey-000089-MJ\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:53 -0400", "from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjex-0001Gh-DL\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:48 -0400", "from mx1.redhat.com ([209.132.183.28]:53852)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <otubo@redhat.com>) id 1dnjex-0001E4-4Y\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:47 -0400", "from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 29F52356F4\n\tfor <qemu-devel@nongnu.org>; Fri, 1 Sep 2017 10:58:46 +0000 (UTC)", "from vader.redhat.com (ovpn-117-156.ams2.redhat.com\n\t[10.36.117.156])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id E00EF7E8EB;\n\tFri, 1 Sep 2017 10:58:42 +0000 (UTC)" ], "DMARC-Filter": "OpenDMARC Filter v1.3.2 mx1.redhat.com 29F52356F4", "From": "Eduardo Otubo <otubo@redhat.com>", "To": "qemu-devel@nongnu.org", "Date": "Fri, 1 Sep 2017 12:58:15 +0200", "Message-Id": "<20170901105818.31956-4-otubo@redhat.com>", "In-Reply-To": "<20170901105818.31956-1-otubo@redhat.com>", "References": "<20170901105818.31956-1-otubo@redhat.com>", "X-Scanned-By": "MIMEDefang 2.79 on 10.5.11.12", "X-Greylist": "Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.30]);\n\tFri, 01 Sep 2017 10:58:46 +0000 (UTC)", "X-detected-operating-system": "by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]", "X-Received-From": "209.132.183.28", "Subject": "[Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges argument\n\tto command line", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.21", "Precedence": "list", "List-Id": "<qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<http://lists.nongnu.org/archive/html/qemu-devel/>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Cc": "thuth@redhat.com", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>" }, "content": "This patch introduces the new argument\n[,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows\nor denies Qemu process to elevate its privileges by blacklisting all\nset*uid|gid system calls. The 'children' option will let forks and\nexecves run unprivileged.\n\nSigned-off-by: Eduardo Otubo <otubo@redhat.com>\n---\n include/sysemu/seccomp.h | 1 +\n qemu-options.hx | 12 +++++++++---\n qemu-seccomp.c | 29 ++++++++++++++++++-----------\n vl.c | 27 +++++++++++++++++++++++++++\n 4 files changed, 55 insertions(+), 14 deletions(-)", "diff": "diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\nindex 215138a372..4a9e63c7cd 100644\n--- a/include/sysemu/seccomp.h\n+++ b/include/sysemu/seccomp.h\n@@ -17,6 +17,7 @@\n \n #define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1)\n+#define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2)\n \n #include <seccomp.h>\n \ndiff --git a/qemu-options.hx b/qemu-options.hx\nindex 72150c6b84..5c1b163fb5 100644\n--- a/qemu-options.hx\n+++ b/qemu-options.hx\n@@ -4017,20 +4017,26 @@ Old param mode (ARM only).\n ETEXI\n \n DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n- \"-sandbox on[,obsolete=allow|deny]\\n\" \\\n+ \"-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\\n\" \\\n \" Enable seccomp mode 2 system call filter (default 'off').\\n\" \\\n \" use 'obsolete' to allow obsolete system calls that are provided\\n\" \\\n \" by the kernel, but typically no longer used by modern\\n\" \\\n- \" C library implementations.\\n\",\n+ \" C library implementations.\\n\" \\\n+ \" use 'elevateprivileges' to allow or deny QEMU process to elevate\\n\" \\\n+ \" its privileges by blacklisting all set*uid|gid system calls.\\n\" \\\n+ \" The value 'children' will deny set*uid|gid system calls for\\n\" \\\n+ \" main QEMU process but will allow forks and execves to run unprivileged\\n\",\n QEMU_ARCH_ALL)\n STEXI\n-@item -sandbox @var{arg}[,obsolete=@var{string}]\n+@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}]\n @findex -sandbox\n Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will\n disable it. The default is 'off'.\n @table @option\n @item obsolete=@var{string}\n Enable Obsolete system calls\n+@item elevateprivileges=@var{string}\n+Disable set*uid|gid system calls\n @end table\n ETEXI\n \ndiff --git a/qemu-seccomp.c b/qemu-seccomp.c\nindex 3e3f15cc08..16c8c20132 100644\n--- a/qemu-seccomp.c\n+++ b/qemu-seccomp.c\n@@ -57,17 +57,16 @@ static const struct QemuSeccompSyscall blacklist[] = {\n { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT },\n { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT },\n /* obsolete */\n- { SCMP_SYS(readdir), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(_sysctl), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(bdflush), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(create_module), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(get_kernel_syms), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(query_module), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(sgetmask), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(ssetmask), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(sysfs), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(uselib), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(ustat), 2, QEMU_SECCOMP_SET_OBSOLETE },\n+ { SCMP_SYS(setuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setpgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setsid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setreuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setregid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setresuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n };\n \n \n@@ -93,6 +92,14 @@ int seccomp_start(uint32_t seccomp_opts)\n }\n \n break;\n+ case QEMU_SECCOMP_SET_PRIVILEGED:\n+ if (seccomp_opts & QEMU_SECCOMP_SET_PRIVILEGED) {\n+ goto add_syscall;\n+ } else {\n+ continue;\n+ }\n+\n+ break;\n default:\n goto add_syscall;\n }\ndiff --git a/vl.c b/vl.c\nindex ca267f9918..1d44b05772 100644\n--- a/vl.c\n+++ b/vl.c\n@@ -29,6 +29,7 @@\n \n #ifdef CONFIG_SECCOMP\n #include \"sysemu/seccomp.h\"\n+#include \"sys/prctl.h\"\n #endif\n \n #if defined(CONFIG_VDE)\n@@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts = {\n .name = \"obsolete\",\n .type = QEMU_OPT_STRING,\n },\n+ {\n+ .name = \"elevateprivileges\",\n+ .type = QEMU_OPT_STRING,\n+ },\n { /* end of list */ }\n },\n };\n@@ -1052,6 +1057,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n \t }\n }\n \n+ value = qemu_opt_get(opts, \"elevateprivileges\");\n+ if (value) {\n+ if (strcmp(value, \"deny\") == 0) {\n+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;\n+ } else if (strcmp(value, \"children\") == 0) {\n+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;\n+\n+ /* calling prctl directly because we're\n+ * not sure if host has CAP_SYS_ADMIN set*/\n+ if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {\n+ error_report(\"failed to set no_new_privs \"\n+ \"aborting\");\n+ return -1;\n+ }\n+ } else if (strcmp(value, \"allow\") == 0) {\n+ /* default value */\n+ } else {\n+ error_report(\"invalid argument for elevateprivileges\");\n+ return -1;\n+ }\n+ }\n+\n if (seccomp_start(seccomp_opts) < 0) {\n error_report(\"failed to install seccomp syscall filter \"\n \"in the kernel\");\n", "prefixes": [ "PATCHv4", "3/6" ] }