[{"id":1765198,"web_url":"http://patchwork.ozlabs.org/comment/1765198/","msgid":"<20170908093114.GC3609@redhat.com>","list_archive_url":null,"date":"2017-09-08T09:31:14","subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","submitter":{"id":2694,"url":"http://patchwork.ozlabs.org/api/people/2694/","name":"Daniel P. Berrangé","email":"berrange@redhat.com"},"content":"On Fri, Sep 08, 2017 at 11:10:23AM +0200, Eduardo Otubo wrote:\n> This patch changes the default behavior of the seccomp filter from\n> whitelist to blacklist. By default now all system calls are allowed and\n> a small black list of definitely forbidden ones was created.\n> \n> Signed-off-by: Eduardo Otubo \n> ---\n> include/sysemu/seccomp.h | 2 +\n> qemu-seccomp.c | 264 ++++++-----------------------------------------\n> vl.c | 1 -\n> 3 files changed, 35 insertions(+), 232 deletions(-)\n\nReviewed-by: Daniel P. Berrange \n\n\nRegards,\nDaniel","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx03.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx03.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=berrange@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpXDB6hjSz9ryv\n\tfor ;\n\tFri, 8 Sep 2017 19:32:42 +1000 (AEST)","from localhost ([::1]:44119 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqFeS-00022Z-Vt\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 05:32:41 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:59672)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqFdG-0001XR-68\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:31:31 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqFdB-0004bD-Ft\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:31:26 -0400","from mx1.redhat.com ([209.132.183.28]:45154)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqFdB-0004aj-A9\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:31:21 -0400","from smtp.corp.redhat.com\n\t(int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 3392E80F79\n\tfor ; Fri, 8 Sep 2017 09:31:20 +0000 (UTC)","from redhat.com (unknown [10.33.36.66])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id 1FD9E5D97B;\n\tFri, 8 Sep 2017 09:31:16 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 3392E80F79","Date":"Fri, 8 Sep 2017 10:31:14 +0100","From":"\"Daniel P. Berrange\" ","To":"Eduardo Otubo ","Message-ID":"<20170908093114.GC3609@redhat.com>","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-2-otubo@redhat.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20170908091027.9104-2-otubo@redhat.com>","User-Agent":"Mutt/1.8.3 (2017-05-23)","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.14","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.27]);\n\tFri, 08 Sep 2017 09:31:20 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Reply-To":"\"Daniel P. Berrange\" ","Cc":"thuth@redhat.com, qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1765208,"web_url":"http://patchwork.ozlabs.org/comment/1765208/","msgid":"","list_archive_url":null,"date":"2017-09-08T09:43:27","subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","submitter":{"id":66152,"url":"http://patchwork.ozlabs.org/api/people/66152/","name":"Thomas Huth","email":"thuth@redhat.com"},"content":"On 08.09.2017 11:10, Eduardo Otubo wrote:\n> This patch changes the default behavior of the seccomp filter from\n> whitelist to blacklist. By default now all system calls are allowed and\n> a small black list of definitely forbidden ones was created.\n> \n> Signed-off-by: Eduardo Otubo \n> ---\n> include/sysemu/seccomp.h | 2 +\n> qemu-seccomp.c | 264 ++++++-----------------------------------------\n> vl.c | 1 -\n> 3 files changed, 35 insertions(+), 232 deletions(-)\n> \n> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\n> index cfc06008cb..23b9c3c789 100644\n> --- a/include/sysemu/seccomp.h\n> +++ b/include/sysemu/seccomp.h\n> @@ -15,6 +15,8 @@\n> #ifndef QEMU_SECCOMP_H\n> #define QEMU_SECCOMP_H\n> \n> +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n> +\n> #include \n> \n> int seccomp_start(void);\n> diff --git a/qemu-seccomp.c b/qemu-seccomp.c\n> index df75d9c471..bc9a1f77ff 100644\n> --- a/qemu-seccomp.c\n> +++ b/qemu-seccomp.c\n> @@ -28,232 +28,34 @@\n> \n> struct QemuSeccompSyscall {\n> int32_t num;\n> - uint8_t priority;\n> + int type;\n\nWhat's this \"type\" field good for? I failed to spot the place in the\nsources where you are using it...? Anyway, some comments here right\nafter the struct members would be useful.\n\n Thomas\n\n> + uint8_t set;\n> };\n> \n> -static const struct QemuSeccompSyscall seccomp_whitelist[] = {\n> - { SCMP_SYS(timer_settime), 255 },\n[...]\n> - { SCMP_SYS(memfd_create), 240 },\n> -#ifdef HAVE_CACHEFLUSH\n> - { SCMP_SYS(cacheflush), 240 },\n> -#endif\n> - { SCMP_SYS(sysinfo), 240 },\n> +static const struct QemuSeccompSyscall blacklist[] = {\n> + /* default set of syscalls to blacklist */\n> + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT },\n> + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT },\n> };\n> \n> int seccomp_start(void)\n> @@ -262,19 +64,19 @@ int seccomp_start(void)\n> unsigned int i = 0;\n> scmp_filter_ctx ctx;\n> \n> - ctx = seccomp_init(SCMP_ACT_KILL);\n> + ctx = seccomp_init(SCMP_ACT_ALLOW);\n> if (ctx == NULL) {\n> rc = -1;\n> goto seccomp_return;\n> }\n> \n> - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {\n> - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);\n> - if (rc < 0) {\n> - goto seccomp_return;\n> + for (i = 0; i < ARRAY_SIZE(blacklist); i++) {\n> + switch (blacklist[i].set) {\n> + default:\n> + break;\n> }\n> - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,\n> - seccomp_whitelist[i].priority);\n> +\n> + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);\n> if (rc < 0) {\n> goto seccomp_return;\n> }\n> diff --git a/vl.c b/vl.c\n> index fb1f05b937..76e0b3a946 100644\n> --- a/vl.c\n> +++ b/vl.c\n> @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt)\n> \n> static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n> {\n> - /* FIXME: change this to true for 1.3 */\n> if (qemu_opt_get_bool(opts, \"enable\", false)) {\n> #ifdef CONFIG_SECCOMP\n> if (seccomp_start() < 0) {\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx09.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx09.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=thuth@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpXTb2R56z9s4s\n\tfor ;\n\tFri, 8 Sep 2017 19:44:19 +1000 (AEST)","from localhost ([::1]:44179 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqFph-0001nE-75\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 05:44:17 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:37591)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqFp8-0001mZ-7H\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:43:47 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqFp3-0006xh-9N\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:43:42 -0400","from mx1.redhat.com ([209.132.183.28]:39128)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqFp3-0006vj-0p\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:43:37 -0400","from smtp.corp.redhat.com\n\t(int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id EBBCF4E341\n\tfor ; Fri, 8 Sep 2017 09:43:31 +0000 (UTC)","from [10.36.116.21] (ovpn-116-21.ams2.redhat.com [10.36.116.21])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id D36064A5;\n\tFri, 8 Sep 2017 09:43:28 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com EBBCF4E341","To":"Eduardo Otubo , qemu-devel@nongnu.org","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-2-otubo@redhat.com>","From":"Thomas Huth ","Message-ID":"","Date":"Fri, 8 Sep 2017 11:43:27 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<20170908091027.9104-2-otubo@redhat.com>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.16","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.38]);\n\tFri, 08 Sep 2017 09:43:32 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1765215,"web_url":"http://patchwork.ozlabs.org/comment/1765215/","msgid":"<20170908095020.GC16888@vader>","list_archive_url":null,"date":"2017-09-08T09:50:20","subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","submitter":{"id":71779,"url":"http://patchwork.ozlabs.org/api/people/71779/","name":"Eduardo Otubo","email":"otubo@redhat.com"},"content":"On Fri, Sep 08, 2017 at 11:43:27AM +0200, Thomas Huth wrote:\n> On 08.09.2017 11:10, Eduardo Otubo wrote:\n> > This patch changes the default behavior of the seccomp filter from\n> > whitelist to blacklist. By default now all system calls are allowed and\n> > a small black list of definitely forbidden ones was created.\n> > \n> > Signed-off-by: Eduardo Otubo \n> > ---\n> > include/sysemu/seccomp.h | 2 +\n> > qemu-seccomp.c | 264 ++++++-----------------------------------------\n> > vl.c | 1 -\n> > 3 files changed, 35 insertions(+), 232 deletions(-)\n> > \n> > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\n> > index cfc06008cb..23b9c3c789 100644\n> > --- a/include/sysemu/seccomp.h\n> > +++ b/include/sysemu/seccomp.h\n> > @@ -15,6 +15,8 @@\n> > #ifndef QEMU_SECCOMP_H\n> > #define QEMU_SECCOMP_H\n> > \n> > +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n> > +\n> > #include \n> > \n> > int seccomp_start(void);\n> > diff --git a/qemu-seccomp.c b/qemu-seccomp.c\n> > index df75d9c471..bc9a1f77ff 100644\n> > --- a/qemu-seccomp.c\n> > +++ b/qemu-seccomp.c\n> > @@ -28,232 +28,34 @@\n> > \n> > struct QemuSeccompSyscall {\n> > int32_t num;\n> > - uint8_t priority;\n> > + int type;\n> \n> What's this \"type\" field good for? I failed to spot the place in the\n> sources where you are using it...? Anyway, some comments here right\n> after the struct members would be useful.\n\nThe type is exactly the type of the system call on the blacklist array\nbelow. Being QEMU_SECCOMP_SET_DEFAULT, QEMU_SECCOMP_SET_OBSOLETE, etc.\n\nDo you think comments here worth a full v6?\n\n> \n> Thomas\n> \n> > + uint8_t set;\n> > };\n> > \n> > -static const struct QemuSeccompSyscall seccomp_whitelist[] = {\n> > - { SCMP_SYS(timer_settime), 255 },\n> [...]\n> > - { SCMP_SYS(memfd_create), 240 },\n> > -#ifdef HAVE_CACHEFLUSH\n> > - { SCMP_SYS(cacheflush), 240 },\n> > -#endif\n> > - { SCMP_SYS(sysinfo), 240 },\n> > +static const struct QemuSeccompSyscall blacklist[] = {\n> > + /* default set of syscalls to blacklist */\n> > + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT },\n> > };\n> > \n> > int seccomp_start(void)\n> > @@ -262,19 +64,19 @@ int seccomp_start(void)\n> > unsigned int i = 0;\n> > scmp_filter_ctx ctx;\n> > \n> > - ctx = seccomp_init(SCMP_ACT_KILL);\n> > + ctx = seccomp_init(SCMP_ACT_ALLOW);\n> > if (ctx == NULL) {\n> > rc = -1;\n> > goto seccomp_return;\n> > }\n> > \n> > - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {\n> > - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);\n> > - if (rc < 0) {\n> > - goto seccomp_return;\n> > + for (i = 0; i < ARRAY_SIZE(blacklist); i++) {\n> > + switch (blacklist[i].set) {\n> > + default:\n> > + break;\n> > }\n> > - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,\n> > - seccomp_whitelist[i].priority);\n> > +\n> > + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);\n> > if (rc < 0) {\n> > goto seccomp_return;\n> > }\n> > diff --git a/vl.c b/vl.c\n> > index fb1f05b937..76e0b3a946 100644\n> > --- a/vl.c\n> > +++ b/vl.c\n> > @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt)\n> > \n> > static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n> > {\n> > - /* FIXME: change this to true for 1.3 */\n> > if (qemu_opt_get_bool(opts, \"enable\", false)) {\n> > #ifdef CONFIG_SECCOMP\n> > if (seccomp_start() < 0) {\n> > \n> \n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx03.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx03.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpXdS258Hz9sBd\n\tfor ;\n\tFri, 8 Sep 2017 19:51:08 +1000 (AEST)","from localhost ([::1]:44225 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqFwI-0005Wk-EO\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 05:51:06 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:40205)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqFvi-0005So-IQ\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:50:35 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqFvd-0007uM-TP\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:50:30 -0400","from mx1.redhat.com ([209.132.183.28]:49094)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqFvd-0007tb-Jw\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:50:25 -0400","from smtp.corp.redhat.com\n\t(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 9272E80F99\n\tfor ; Fri, 8 Sep 2017 09:50:24 +0000 (UTC)","from vader (ovpn-117-133.ams2.redhat.com [10.36.117.133])\n\tby smtp.corp.redhat.com (Postfix) with SMTP id 3AA44600CA;\n\tFri, 8 Sep 2017 09:50:21 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 9272E80F99","Date":"Fri, 8 Sep 2017 11:50:20 +0200","From":"Eduardo Otubo ","To":"Thomas Huth ","Message-ID":"<20170908095020.GC16888@vader>","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-2-otubo@redhat.com>\n\t","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"","User-Agent":"Mutt/1.8.3+47 (5f034395e53d) (2017-05-23)","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.11","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.27]);\n\tFri, 08 Sep 2017 09:50:24 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1765216,"web_url":"http://patchwork.ozlabs.org/comment/1765216/","msgid":"<36e21758-2a47-d6b9-1141-67470e30754f@redhat.com>","list_archive_url":null,"date":"2017-09-08T09:52:42","subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","submitter":{"id":66152,"url":"http://patchwork.ozlabs.org/api/people/66152/","name":"Thomas Huth","email":"thuth@redhat.com"},"content":"On 08.09.2017 11:50, Eduardo Otubo wrote:\n> On Fri, Sep 08, 2017 at 11:43:27AM +0200, Thomas Huth wrote:\n>> On 08.09.2017 11:10, Eduardo Otubo wrote:\n>>> This patch changes the default behavior of the seccomp filter from\n>>> whitelist to blacklist. By default now all system calls are allowed and\n>>> a small black list of definitely forbidden ones was created.\n>>>\n>>> Signed-off-by: Eduardo Otubo \n>>> ---\n>>> include/sysemu/seccomp.h | 2 +\n>>> qemu-seccomp.c | 264 ++++++-----------------------------------------\n>>> vl.c | 1 -\n>>> 3 files changed, 35 insertions(+), 232 deletions(-)\n>>>\n>>> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\n>>> index cfc06008cb..23b9c3c789 100644\n>>> --- a/include/sysemu/seccomp.h\n>>> +++ b/include/sysemu/seccomp.h\n>>> @@ -15,6 +15,8 @@\n>>> #ifndef QEMU_SECCOMP_H\n>>> #define QEMU_SECCOMP_H\n>>> \n>>> +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n>>> +\n>>> #include \n>>> \n>>> int seccomp_start(void);\n>>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c\n>>> index df75d9c471..bc9a1f77ff 100644\n>>> --- a/qemu-seccomp.c\n>>> +++ b/qemu-seccomp.c\n>>> @@ -28,232 +28,34 @@\n>>> \n>>> struct QemuSeccompSyscall {\n>>> int32_t num;\n>>> - uint8_t priority;\n>>> + int type;\n>>\n>> What's this \"type\" field good for? I failed to spot the place in the\n>> sources where you are using it...? Anyway, some comments here right\n>> after the struct members would be useful.\n> \n> The type is exactly the type of the system call on the blacklist array\n> below. Being QEMU_SECCOMP_SET_DEFAULT, QEMU_SECCOMP_SET_OBSOLETE, etc.\n\nSorry, I still do not understand. If that's the case, what's the\ndifference between the \"type\" field and the \"set\" field? Where do you\nuse the \"type\" field?\n\n Thomas\n\n>>> + uint8_t set;\n>>> };\n>>> \n>>> -static const struct QemuSeccompSyscall seccomp_whitelist[] = {\n>>> - { SCMP_SYS(timer_settime), 255 },\n>> [...]\n>>> - { SCMP_SYS(memfd_create), 240 },\n>>> -#ifdef HAVE_CACHEFLUSH\n>>> - { SCMP_SYS(cacheflush), 240 },\n>>> -#endif\n>>> - { SCMP_SYS(sysinfo), 240 },\n>>> +static const struct QemuSeccompSyscall blacklist[] = {\n>>> + /* default set of syscalls to blacklist */\n>>> + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT },\n>>> };\n>>> \n>>> int seccomp_start(void)\n>>> @@ -262,19 +64,19 @@ int seccomp_start(void)\n>>> unsigned int i = 0;\n>>> scmp_filter_ctx ctx;\n>>> \n>>> - ctx = seccomp_init(SCMP_ACT_KILL);\n>>> + ctx = seccomp_init(SCMP_ACT_ALLOW);\n>>> if (ctx == NULL) {\n>>> rc = -1;\n>>> goto seccomp_return;\n>>> }\n>>> \n>>> - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {\n>>> - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);\n>>> - if (rc < 0) {\n>>> - goto seccomp_return;\n>>> + for (i = 0; i < ARRAY_SIZE(blacklist); i++) {\n>>> + switch (blacklist[i].set) {\n>>> + default:\n>>> + break;\n>>> }\n>>> - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,\n>>> - seccomp_whitelist[i].priority);\n>>> +\n>>> + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);\n>>> if (rc < 0) {\n>>> goto seccomp_return;\n>>> }\n>>> diff --git a/vl.c b/vl.c\n>>> index fb1f05b937..76e0b3a946 100644\n>>> --- a/vl.c\n>>> +++ b/vl.c\n>>> @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt)\n>>> \n>>> static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n>>> {\n>>> - /* FIXME: change this to true for 1.3 */\n>>> if (qemu_opt_get_bool(opts, \"enable\", false)) {\n>>> #ifdef CONFIG_SECCOMP\n>>> if (seccomp_start() < 0) {\n>>>\n>>\n>>\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx10.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx10.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=thuth@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpXh00Vssz9s8J\n\tfor ;\n\tFri, 8 Sep 2017 19:53:20 +1000 (AEST)","from localhost ([::1]:44228 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqFyQ-0006sw-8a\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 05:53:18 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:40892)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqFy1-0006sY-Ch\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:52:58 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqFxw-0001xU-9s\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:52:53 -0400","from mx1.redhat.com ([209.132.183.28]:59284)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqFxv-0001wp-W6\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:52:48 -0400","from smtp.corp.redhat.com\n\t(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id EFB355F73C\n\tfor ; Fri, 8 Sep 2017 09:52:46 +0000 (UTC)","from [10.36.116.21] (ovpn-116-21.ams2.redhat.com [10.36.116.21])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id BD6E6600C2;\n\tFri, 8 Sep 2017 09:52:43 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com EFB355F73C","To":"Eduardo Otubo ","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-2-otubo@redhat.com>\n\t\n\t<20170908095020.GC16888@vader>","From":"Thomas Huth ","Message-ID":"<36e21758-2a47-d6b9-1141-67470e30754f@redhat.com>","Date":"Fri, 8 Sep 2017 11:52:42 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<20170908095020.GC16888@vader>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.11","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.39]);\n\tFri, 08 Sep 2017 09:52:47 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1765251,"web_url":"http://patchwork.ozlabs.org/comment/1765251/","msgid":"<20170908105713.GA12556@vader>","list_archive_url":null,"date":"2017-09-08T10:57:13","subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","submitter":{"id":71779,"url":"http://patchwork.ozlabs.org/api/people/71779/","name":"Eduardo Otubo","email":"otubo@redhat.com"},"content":"On Fri, Sep 08, 2017 at 11:52:42AM +0200, Thomas Huth wrote:\n> On 08.09.2017 11:50, Eduardo Otubo wrote:\n> > On Fri, Sep 08, 2017 at 11:43:27AM +0200, Thomas Huth wrote:\n> >> On 08.09.2017 11:10, Eduardo Otubo wrote:\n> >>> This patch changes the default behavior of the seccomp filter from\n> >>> whitelist to blacklist. By default now all system calls are allowed and\n> >>> a small black list of definitely forbidden ones was created.\n> >>>\n> >>> Signed-off-by: Eduardo Otubo \n> >>> ---\n> >>> include/sysemu/seccomp.h | 2 +\n> >>> qemu-seccomp.c | 264 ++++++-----------------------------------------\n> >>> vl.c | 1 -\n> >>> 3 files changed, 35 insertions(+), 232 deletions(-)\n> >>>\n> >>> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\n> >>> index cfc06008cb..23b9c3c789 100644\n> >>> --- a/include/sysemu/seccomp.h\n> >>> +++ b/include/sysemu/seccomp.h\n> >>> @@ -15,6 +15,8 @@\n> >>> #ifndef QEMU_SECCOMP_H\n> >>> #define QEMU_SECCOMP_H\n> >>> \n> >>> +#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n> >>> +\n> >>> #include \n> >>> \n> >>> int seccomp_start(void);\n> >>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c\n> >>> index df75d9c471..bc9a1f77ff 100644\n> >>> --- a/qemu-seccomp.c\n> >>> +++ b/qemu-seccomp.c\n> >>> @@ -28,232 +28,34 @@\n> >>> \n> >>> struct QemuSeccompSyscall {\n> >>> int32_t num;\n> >>> - uint8_t priority;\n> >>> + int type;\n> >>\n> >> What's this \"type\" field good for? I failed to spot the place in the\n> >> sources where you are using it...? Anyway, some comments here right\n> >> after the struct members would be useful.\n> > \n> > The type is exactly the type of the system call on the blacklist array\n> > below. Being QEMU_SECCOMP_SET_DEFAULT, QEMU_SECCOMP_SET_OBSOLETE, etc.\n> \n> Sorry, I still do not understand. If that's the case, what's the\n> difference between the \"type\" field and the \"set\" field? Where do you\n> use the \"type\" field?\n\nHARGH, sorry. Perhaps I was debugging tis for too long and didn't\nnotice it. This was for debug purposes only. I'll remove and resend.\nThanks for spotting this.\n\n> >>> + uint8_t set;\n> >>> };\n> >>> \n> >>> -static const struct QemuSeccompSyscall seccomp_whitelist[] = {\n> >>> - { SCMP_SYS(timer_settime), 255 },\n> >> [...]\n> >>> - { SCMP_SYS(memfd_create), 240 },\n> >>> -#ifdef HAVE_CACHEFLUSH\n> >>> - { SCMP_SYS(cacheflush), 240 },\n> >>> -#endif\n> >>> - { SCMP_SYS(sysinfo), 240 },\n> >>> +static const struct QemuSeccompSyscall blacklist[] = {\n> >>> + /* default set of syscalls to blacklist */\n> >>> + { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> + { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT },\n> >>> };\n> >>> \n> >>> int seccomp_start(void)\n> >>> @@ -262,19 +64,19 @@ int seccomp_start(void)\n> >>> unsigned int i = 0;\n> >>> scmp_filter_ctx ctx;\n> >>> \n> >>> - ctx = seccomp_init(SCMP_ACT_KILL);\n> >>> + ctx = seccomp_init(SCMP_ACT_ALLOW);\n> >>> if (ctx == NULL) {\n> >>> rc = -1;\n> >>> goto seccomp_return;\n> >>> }\n> >>> \n> >>> - for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {\n> >>> - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);\n> >>> - if (rc < 0) {\n> >>> - goto seccomp_return;\n> >>> + for (i = 0; i < ARRAY_SIZE(blacklist); i++) {\n> >>> + switch (blacklist[i].set) {\n> >>> + default:\n> >>> + break;\n> >>> }\n> >>> - rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,\n> >>> - seccomp_whitelist[i].priority);\n> >>> +\n> >>> + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);\n> >>> if (rc < 0) {\n> >>> goto seccomp_return;\n> >>> }\n> >>> diff --git a/vl.c b/vl.c\n> >>> index fb1f05b937..76e0b3a946 100644\n> >>> --- a/vl.c\n> >>> +++ b/vl.c\n> >>> @@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt)\n> >>> \n> >>> static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n> >>> {\n> >>> - /* FIXME: change this to true for 1.3 */\n> >>> if (qemu_opt_get_bool(opts, \"enable\", false)) {\n> >>> #ifdef CONFIG_SECCOMP\n> >>> if (seccomp_start() < 0) {\n> >>>\n> >>\n> >>\n> > \n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx08.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx08.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpZYk6nxbz9s8J\n\tfor ;\n\tFri, 8 Sep 2017 21:18:02 +1000 (AEST)","from localhost ([::1]:44704 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqHIO-0005RR-Tn\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 07:18:00 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:39376)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqGyT-0004Lp-Pt\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 06:57:30 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqGyO-0004J4-SZ\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 06:57:25 -0400","from mx1.redhat.com ([209.132.183.28]:59018)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqGyO-0004Ia-JU\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 06:57:20 -0400","from smtp.corp.redhat.com\n\t(int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id B507BC0587EB\n\tfor ; Fri, 8 Sep 2017 10:57:18 +0000 (UTC)","from vader (ovpn-117-226.ams2.redhat.com [10.36.117.226])\n\tby smtp.corp.redhat.com (Postfix) with SMTP id 306B15D988;\n\tFri, 8 Sep 2017 10:57:15 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com B507BC0587EB","Date":"Fri, 8 Sep 2017 12:57:13 +0200","From":"Eduardo Otubo ","To":"Thomas Huth ","Message-ID":"<20170908105713.GA12556@vader>","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-2-otubo@redhat.com>\n\t\n\t<20170908095020.GC16888@vader>\n\t<36e21758-2a47-d6b9-1141-67470e30754f@redhat.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<36e21758-2a47-d6b9-1141-67470e30754f@redhat.com>","User-Agent":"Mutt/1.8.3+47 (5f034395e53d) (2017-05-23)","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.14","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.32]);\n\tFri, 08 Sep 2017 10:57:18 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 1/5] seccomp: changing from whitelist to\n\tblacklist","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}}]