Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/811398/?format=api
{ "id": 811398, "url": "http://patchwork.ozlabs.org/api/patches/811398/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170908091027.9104-4-otubo@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170908091027.9104-4-otubo@redhat.com>", "list_archive_url": null, "date": "2017-09-08T09:10:25", "name": "[PATCHv5,3/5] seccomp: add elevateprivileges argument to command line", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "5c4eefab07d1c79d54f2b9daeea098027267248c", "submitter": { "id": 71779, "url": "http://patchwork.ozlabs.org/api/people/71779/?format=api", "name": "Eduardo Otubo", "email": "otubo@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170908091027.9104-4-otubo@redhat.com/mbox/", "series": [ { "id": 2143, "url": "http://patchwork.ozlabs.org/api/series/2143/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=2143", "date": "2017-09-08T09:10:22", "name": "seccomp: feature refactoring", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/2143/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/811398/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/811398/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)", "ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com", "ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com" ], "Received": [ "from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpWm33tDlz9s82\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 8 Sep 2017 19:11:47 +1000 (AEST)", "from localhost ([::1]:43997 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dqFKD-0001Lc-J8\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 05:11:45 -0400", "from eggs.gnu.org ([2001:4830:134:3::10]:49054)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dqFJQ-0001CE-OK\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:11:02 -0400", "from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dqFJL-0002vx-Mo\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:10:56 -0400", "from mx1.redhat.com ([209.132.183.28]:35832)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <otubo@redhat.com>) id 1dqFJL-0002vA-DA\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:10:51 -0400", "from smtp.corp.redhat.com\n\t(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 8CAD4356DC\n\tfor <qemu-devel@nongnu.org>; Fri, 8 Sep 2017 09:10:50 +0000 (UTC)", "from vader.redhat.com (ovpn-117-133.ams2.redhat.com\n\t[10.36.117.133])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 2276D6AD05;\n\tFri, 8 Sep 2017 09:10:48 +0000 (UTC)" ], "DMARC-Filter": "OpenDMARC Filter v1.3.2 mx1.redhat.com 8CAD4356DC", "From": "Eduardo Otubo <otubo@redhat.com>", "To": "qemu-devel@nongnu.org", "Date": "Fri, 8 Sep 2017 11:10:25 +0200", "Message-Id": "<20170908091027.9104-4-otubo@redhat.com>", "In-Reply-To": "<20170908091027.9104-1-otubo@redhat.com>", "References": "<20170908091027.9104-1-otubo@redhat.com>", "X-Scanned-By": "MIMEDefang 2.79 on 10.5.11.15", "X-Greylist": "Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.30]);\n\tFri, 08 Sep 2017 09:10:50 +0000 (UTC)", "X-detected-operating-system": "by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]", "X-Received-From": "209.132.183.28", "Subject": "[Qemu-devel] [PATCHv5 3/5] seccomp: add elevateprivileges argument\n\tto command line", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.21", "Precedence": "list", "List-Id": "<qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<http://lists.nongnu.org/archive/html/qemu-devel/>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Cc": "thuth@redhat.com", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>" }, "content": "This patch introduces the new argument\n[,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows\nor denies Qemu process to elevate its privileges by blacklisting all\nset*uid|gid system calls. The 'children' option will let forks and\nexecves run unprivileged.\n\nSigned-off-by: Eduardo Otubo <otubo@redhat.com>\n---\n include/sysemu/seccomp.h | 1 +\n qemu-options.hx | 12 +++++++++---\n qemu-seccomp.c | 19 +++++++++++++++++++\n vl.c | 27 +++++++++++++++++++++++++++\n 4 files changed, 56 insertions(+), 3 deletions(-)", "diff": "diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\nindex 215138a372..4a9e63c7cd 100644\n--- a/include/sysemu/seccomp.h\n+++ b/include/sysemu/seccomp.h\n@@ -17,6 +17,7 @@\n \n #define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1)\n+#define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2)\n \n #include <seccomp.h>\n \ndiff --git a/qemu-options.hx b/qemu-options.hx\nindex 72150c6b84..5c1b163fb5 100644\n--- a/qemu-options.hx\n+++ b/qemu-options.hx\n@@ -4017,20 +4017,26 @@ Old param mode (ARM only).\n ETEXI\n \n DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n- \"-sandbox on[,obsolete=allow|deny]\\n\" \\\n+ \"-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\\n\" \\\n \" Enable seccomp mode 2 system call filter (default 'off').\\n\" \\\n \" use 'obsolete' to allow obsolete system calls that are provided\\n\" \\\n \" by the kernel, but typically no longer used by modern\\n\" \\\n- \" C library implementations.\\n\",\n+ \" C library implementations.\\n\" \\\n+ \" use 'elevateprivileges' to allow or deny QEMU process to elevate\\n\" \\\n+ \" its privileges by blacklisting all set*uid|gid system calls.\\n\" \\\n+ \" The value 'children' will deny set*uid|gid system calls for\\n\" \\\n+ \" main QEMU process but will allow forks and execves to run unprivileged\\n\",\n QEMU_ARCH_ALL)\n STEXI\n-@item -sandbox @var{arg}[,obsolete=@var{string}]\n+@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}]\n @findex -sandbox\n Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will\n disable it. The default is 'off'.\n @table @option\n @item obsolete=@var{string}\n Enable Obsolete system calls\n+@item elevateprivileges=@var{string}\n+Disable set*uid|gid system calls\n @end table\n ETEXI\n \ndiff --git a/qemu-seccomp.c b/qemu-seccomp.c\nindex 126e5ee2d5..2bad16cafb 100644\n--- a/qemu-seccomp.c\n+++ b/qemu-seccomp.c\n@@ -68,6 +68,17 @@ static const struct QemuSeccompSyscall blacklist[] = {\n { SCMP_SYS(sysfs), 2, QEMU_SECCOMP_SET_OBSOLETE },\n { SCMP_SYS(uselib), 2, QEMU_SECCOMP_SET_OBSOLETE },\n { SCMP_SYS(ustat), 2, QEMU_SECCOMP_SET_OBSOLETE },\n+ /* privileged */\n+ { SCMP_SYS(setuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setpgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setsid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setreuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setregid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setresuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n };\n \n \n@@ -90,6 +101,14 @@ int seccomp_start(uint32_t seccomp_opts)\n continue;\n }\n break;\n+ case QEMU_SECCOMP_SET_PRIVILEGED:\n+ if (seccomp_opts & QEMU_SECCOMP_SET_PRIVILEGED) {\n+ break;\n+ } else {\n+ continue;\n+ }\n+\n+ break;\n default:\n break;\n }\ndiff --git a/vl.c b/vl.c\nindex dafbe30e2b..413cfe8504 100644\n--- a/vl.c\n+++ b/vl.c\n@@ -29,6 +29,7 @@\n \n #ifdef CONFIG_SECCOMP\n #include \"sysemu/seccomp.h\"\n+#include \"sys/prctl.h\"\n #endif\n \n #if defined(CONFIG_VDE)\n@@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts = {\n .name = \"obsolete\",\n .type = QEMU_OPT_STRING,\n },\n+ {\n+ .name = \"elevateprivileges\",\n+ .type = QEMU_OPT_STRING,\n+ },\n { /* end of list */ }\n },\n };\n@@ -1054,6 +1059,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n }\n }\n \n+ value = qemu_opt_get(opts, \"elevateprivileges\");\n+ if (value) {\n+ if (g_str_equal(value, \"deny\")) {\n+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;\n+ } else if (g_str_equal(value, \"children\")) {\n+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;\n+\n+ /* calling prctl directly because we're\n+ * not sure if host has CAP_SYS_ADMIN set*/\n+ if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {\n+ error_report(\"failed to set no_new_privs \"\n+ \"aborting\");\n+ return -1;\n+ }\n+ } else if (g_str_equal(value, \"allow\")) {\n+ /* default value */\n+ } else {\n+ error_report(\"invalid argument for elevateprivileges\");\n+ return -1;\n+ }\n+ }\n+\n if (seccomp_start(seccomp_opts) < 0) {\n error_report(\"failed to install seccomp syscall filter \"\n \"in the kernel\");\n", "prefixes": [ "PATCHv5", "3/5" ] }