[{"id":1765205,"web_url":"http://patchwork.ozlabs.org/comment/1765205/","msgid":"<20170908093321.GF3609@redhat.com>","list_archive_url":null,"date":"2017-09-08T09:33:21","subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","submitter":{"id":2694,"url":"http://patchwork.ozlabs.org/api/people/2694/","name":"Daniel P. Berrangé","email":"berrange@redhat.com"},"content":"On Fri, Sep 08, 2017 at 11:10:26AM +0200, Eduardo Otubo wrote:\n> This patch adds [,spawn=deny] argument to `-sandbox on' option. It\n> blacklists fork and execve system calls, avoiding Qemu to spawn new\n> threads or processes.\n> \n> Signed-off-by: Eduardo Otubo \n> ---\n> include/sysemu/seccomp.h | 1 +\n> qemu-options.hx | 9 +++++++--\n> qemu-seccomp.c | 12 ++++++++++++\n> vl.c | 16 ++++++++++++++++\n> 4 files changed, 36 insertions(+), 2 deletions(-)\n\nReviewed-by: Daniel P. Berrange \n\nRegards,\nDaniel","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=berrange@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpXMF41HBz9ryv\n\tfor ;\n\tFri, 8 Sep 2017 19:38:49 +1000 (AEST)","from localhost ([::1]:44149 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqFkN-0007JU-JD\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 05:38:47 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:33223)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqFfJ-0003Oa-Ln\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:33:38 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqFfD-0006do-O3\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:33:33 -0400","from mx1.redhat.com ([209.132.183.28]:47412)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqFfD-0006cp-IG\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:33:27 -0400","from smtp.corp.redhat.com\n\t(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 997EA85545\n\tfor ; Fri, 8 Sep 2017 09:33:26 +0000 (UTC)","from redhat.com (unknown [10.33.36.66])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id D206E6AD12;\n\tFri, 8 Sep 2017 09:33:23 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 997EA85545","Date":"Fri, 8 Sep 2017 10:33:21 +0100","From":"\"Daniel P. Berrange\" ","To":"Eduardo Otubo ","Message-ID":"<20170908093321.GF3609@redhat.com>","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-5-otubo@redhat.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20170908091027.9104-5-otubo@redhat.com>","User-Agent":"Mutt/1.8.3 (2017-05-23)","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.15","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.28]);\n\tFri, 08 Sep 2017 09:33:26 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Reply-To":"\"Daniel P. Berrange\" ","Cc":"thuth@redhat.com, qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1765214,"web_url":"http://patchwork.ozlabs.org/comment/1765214/","msgid":"<2ebb2804-a613-0942-ee9b-aa900093ac98@redhat.com>","list_archive_url":null,"date":"2017-09-08T09:50:12","subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","submitter":{"id":66152,"url":"http://patchwork.ozlabs.org/api/people/66152/","name":"Thomas Huth","email":"thuth@redhat.com"},"content":"On 08.09.2017 11:10, Eduardo Otubo wrote:\n> This patch adds [,spawn=deny] argument to `-sandbox on' option. It\n> blacklists fork and execve system calls, avoiding Qemu to spawn new\n> threads or processes.\n> \n> Signed-off-by: Eduardo Otubo \n> ---\n> include/sysemu/seccomp.h | 1 +\n> qemu-options.hx | 9 +++++++--\n> qemu-seccomp.c | 12 ++++++++++++\n> vl.c | 16 ++++++++++++++++\n> 4 files changed, 36 insertions(+), 2 deletions(-)\n> \n> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\n> index 4a9e63c7cd..3ab5fc4f61 100644\n> --- a/include/sysemu/seccomp.h\n> +++ b/include/sysemu/seccomp.h\n> @@ -18,6 +18,7 @@\n> #define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n> #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1)\n> #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2)\n> +#define QEMU_SECCOMP_SET_SPAWN (1 << 3)\n> \n> #include \n> \n> diff --git a/qemu-options.hx b/qemu-options.hx\n> index 5c1b163fb5..2b04b9f170 100644\n> --- a/qemu-options.hx\n> +++ b/qemu-options.hx\n> @@ -4018,6 +4018,7 @@ ETEXI\n> \n> DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n> \"-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\\n\" \\\n> + \" [,spawn=allow|deny]\\n\" \\\n> \" Enable seccomp mode 2 system call filter (default 'off').\\n\" \\\n> \" use 'obsolete' to allow obsolete system calls that are provided\\n\" \\\n> \" by the kernel, but typically no longer used by modern\\n\" \\\n> @@ -4025,10 +4026,12 @@ DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n> \" use 'elevateprivileges' to allow or deny QEMU process to elevate\\n\" \\\n> \" its privileges by blacklisting all set*uid|gid system calls.\\n\" \\\n> \" The value 'children' will deny set*uid|gid system calls for\\n\" \\\n> - \" main QEMU process but will allow forks and execves to run unprivileged\\n\",\n> + \" main QEMU process but will allow forks and execves to run unprivileged\\n\" \\\n> + \" use 'spawn' to avoid QEMU to spawn new threads or processes by\\n\" \\\n> + \" blacklisting *fork and execve\\n\",\n> QEMU_ARCH_ALL)\n> STEXI\n> -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}]\n> +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}]\n> @findex -sandbox\n> Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will\n> disable it. The default is 'off'.\n> @@ -4037,6 +4040,8 @@ disable it. The default is 'off'.\n> Enable Obsolete system calls\n> @item elevateprivileges=@var{string}\n> Disable set*uid|gid system calls\n> +@item spawn=@var{string}\n> +Disable *fork and execve\n> @end table\n> ETEXI\n> \n> diff --git a/qemu-seccomp.c b/qemu-seccomp.c\n> index 2bad16cafb..4c169febf8 100644\n> --- a/qemu-seccomp.c\n> +++ b/qemu-seccomp.c\n> @@ -79,6 +79,10 @@ static const struct QemuSeccompSyscall blacklist[] = {\n> { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n> { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n> { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n> + /* spawn */\n> + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN },\n> + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN },\n> + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN },\n> };\n> \n> \n> @@ -109,6 +113,14 @@ int seccomp_start(uint32_t seccomp_opts)\n> }\n> \n> break;\n> + case QEMU_SECCOMP_SET_SPAWN:\n> + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) {\n> + break;\n> + } else {\n> + continue;\n> + }\n> +\n\nRemove the above empty line?\n\nAnyway, it's somewhat ugly that you need a switch-case statement here at\nall. Couldn't you simply check it like this:\n\n\tif (!(seccomp_opts & blacklist[i].set)) {\n\t\tcontinue;\n\t}\n?\n\nYou then just have to invert the meaning of the\nQEMU_SECCOMP_SET_OBSOLETE bit in the second patch, so that this bit is\ntreated in the same way as the others (i.e. use\n uint32_t seccomp_opts = QEMU_SECCOMP_SET_OBSOLETE;\ninstead of\n uint32_t seccomp_opts = 0x00000;\nin vl.c in the second patch).\n\n Thomas","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=thuth@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpXdG0VWQz9s8J\n\tfor ;\n\tFri, 8 Sep 2017 19:50:56 +1000 (AEST)","from localhost ([::1]:44224 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqFw6-0005SH-JE\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 05:50:54 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:40176)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqFvb-0005Rj-Fv\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:50:28 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqFvW-0007m4-Nh\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:50:23 -0400","from mx1.redhat.com ([209.132.183.28]:59540)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqFvW-0007kw-DV\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 05:50:18 -0400","from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 5C126C047B66\n\tfor ; Fri, 8 Sep 2017 09:50:17 +0000 (UTC)","from [10.36.116.21] (ovpn-116-21.ams2.redhat.com [10.36.116.21])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id 29DF260E3A;\n\tFri, 8 Sep 2017 09:50:13 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 5C126C047B66","To":"Eduardo Otubo , qemu-devel@nongnu.org","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-5-otubo@redhat.com>","From":"Thomas Huth ","Message-ID":"<2ebb2804-a613-0942-ee9b-aa900093ac98@redhat.com>","Date":"Fri, 8 Sep 2017 11:50:12 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<20170908091027.9104-5-otubo@redhat.com>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.12","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.31]);\n\tFri, 08 Sep 2017 09:50:17 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1765259,"web_url":"http://patchwork.ozlabs.org/comment/1765259/","msgid":"<20170908111546.GA13739@vader>","list_archive_url":null,"date":"2017-09-08T11:15:46","subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","submitter":{"id":71779,"url":"http://patchwork.ozlabs.org/api/people/71779/","name":"Eduardo Otubo","email":"otubo@redhat.com"},"content":"On Fri, Sep 08, 2017 at 11:50:12AM +0200, Thomas Huth wrote:\n> On 08.09.2017 11:10, Eduardo Otubo wrote:\n> > This patch adds [,spawn=deny] argument to `-sandbox on' option. It\n> > blacklists fork and execve system calls, avoiding Qemu to spawn new\n> > threads or processes.\n> > \n> > Signed-off-by: Eduardo Otubo \n> > ---\n> > include/sysemu/seccomp.h | 1 +\n> > qemu-options.hx | 9 +++++++--\n> > qemu-seccomp.c | 12 ++++++++++++\n> > vl.c | 16 ++++++++++++++++\n> > 4 files changed, 36 insertions(+), 2 deletions(-)\n> > \n> > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\n> > index 4a9e63c7cd..3ab5fc4f61 100644\n> > --- a/include/sysemu/seccomp.h\n> > +++ b/include/sysemu/seccomp.h\n> > @@ -18,6 +18,7 @@\n> > #define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n> > #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1)\n> > #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2)\n> > +#define QEMU_SECCOMP_SET_SPAWN (1 << 3)\n> > \n> > #include \n> > \n> > diff --git a/qemu-options.hx b/qemu-options.hx\n> > index 5c1b163fb5..2b04b9f170 100644\n> > --- a/qemu-options.hx\n> > +++ b/qemu-options.hx\n> > @@ -4018,6 +4018,7 @@ ETEXI\n> > \n> > DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n> > \"-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\\n\" \\\n> > + \" [,spawn=allow|deny]\\n\" \\\n> > \" Enable seccomp mode 2 system call filter (default 'off').\\n\" \\\n> > \" use 'obsolete' to allow obsolete system calls that are provided\\n\" \\\n> > \" by the kernel, but typically no longer used by modern\\n\" \\\n> > @@ -4025,10 +4026,12 @@ DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n> > \" use 'elevateprivileges' to allow or deny QEMU process to elevate\\n\" \\\n> > \" its privileges by blacklisting all set*uid|gid system calls.\\n\" \\\n> > \" The value 'children' will deny set*uid|gid system calls for\\n\" \\\n> > - \" main QEMU process but will allow forks and execves to run unprivileged\\n\",\n> > + \" main QEMU process but will allow forks and execves to run unprivileged\\n\" \\\n> > + \" use 'spawn' to avoid QEMU to spawn new threads or processes by\\n\" \\\n> > + \" blacklisting *fork and execve\\n\",\n> > QEMU_ARCH_ALL)\n> > STEXI\n> > -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}]\n> > +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}]\n> > @findex -sandbox\n> > Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will\n> > disable it. The default is 'off'.\n> > @@ -4037,6 +4040,8 @@ disable it. The default is 'off'.\n> > Enable Obsolete system calls\n> > @item elevateprivileges=@var{string}\n> > Disable set*uid|gid system calls\n> > +@item spawn=@var{string}\n> > +Disable *fork and execve\n> > @end table\n> > ETEXI\n> > \n> > diff --git a/qemu-seccomp.c b/qemu-seccomp.c\n> > index 2bad16cafb..4c169febf8 100644\n> > --- a/qemu-seccomp.c\n> > +++ b/qemu-seccomp.c\n> > @@ -79,6 +79,10 @@ static const struct QemuSeccompSyscall blacklist[] = {\n> > { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n> > { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n> > { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n> > + /* spawn */\n> > + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN },\n> > + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN },\n> > + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN },\n> > };\n> > \n> > \n> > @@ -109,6 +113,14 @@ int seccomp_start(uint32_t seccomp_opts)\n> > }\n> > \n> > break;\n> > + case QEMU_SECCOMP_SET_SPAWN:\n> > + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) {\n> > + break;\n> > + } else {\n> > + continue;\n> > + }\n> > +\n> \n> Remove the above empty line?\n> \n> Anyway, it's somewhat ugly that you need a switch-case statement here at\n> all. Couldn't you simply check it like this:\n> \n> \tif (!(seccomp_opts & blacklist[i].set)) {\n> \t\tcontinue;\n> \t}\n> ?\n> \n> You then just have to invert the meaning of the\n> QEMU_SECCOMP_SET_OBSOLETE bit in the second patch, so that this bit is\n> treated in the same way as the others (i.e. use\n> uint32_t seccomp_opts = QEMU_SECCOMP_SET_OBSOLETE;\n> instead of\n> uint32_t seccomp_opts = 0x00000;\n> in vl.c in the second patch).\n\nThat's indeed much better, but perhaps:\n uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT | QEMU_SECCOMP_SET_OBSOLETE;\n?","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx10.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx10.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpZj21kcmz9s83\n\tfor ;\n\tFri, 8 Sep 2017 21:24:22 +1000 (AEST)","from localhost ([::1]:44737 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqHOW-0003Ej-9Y\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 07:24:20 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:47280)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqHGQ-0004F1-4E\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:16:03 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqHGL-0002T7-1V\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:15:58 -0400","from mx1.redhat.com ([209.132.183.28]:39286)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqHGK-0002Sc-Oh\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:15:52 -0400","from smtp.corp.redhat.com\n\t(int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id DC0A35F7B9\n\tfor ; Fri, 8 Sep 2017 11:15:51 +0000 (UTC)","from vader (ovpn-117-226.ams2.redhat.com [10.36.117.226])\n\tby smtp.corp.redhat.com (Postfix) with SMTP id 7837B61282;\n\tFri, 8 Sep 2017 11:15:48 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com DC0A35F7B9","Date":"Fri, 8 Sep 2017 13:15:46 +0200","From":"Eduardo Otubo ","To":"Thomas Huth ","Message-ID":"<20170908111546.GA13739@vader>","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-5-otubo@redhat.com>\n\t<2ebb2804-a613-0942-ee9b-aa900093ac98@redhat.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<2ebb2804-a613-0942-ee9b-aa900093ac98@redhat.com>","User-Agent":"Mutt/1.8.3+47 (5f034395e53d) (2017-05-23)","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.14","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.39]);\n\tFri, 08 Sep 2017 11:15:52 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1765265,"web_url":"http://patchwork.ozlabs.org/comment/1765265/","msgid":"","list_archive_url":null,"date":"2017-09-08T11:31:22","subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","submitter":{"id":66152,"url":"http://patchwork.ozlabs.org/api/people/66152/","name":"Thomas Huth","email":"thuth@redhat.com"},"content":"On 08.09.2017 13:15, Eduardo Otubo wrote:\n> On Fri, Sep 08, 2017 at 11:50:12AM +0200, Thomas Huth wrote:\n>> On 08.09.2017 11:10, Eduardo Otubo wrote:\n>>> This patch adds [,spawn=deny] argument to `-sandbox on' option. It\n>>> blacklists fork and execve system calls, avoiding Qemu to spawn new\n>>> threads or processes.\n>>>\n>>> Signed-off-by: Eduardo Otubo \n>>> ---\n>>> include/sysemu/seccomp.h | 1 +\n>>> qemu-options.hx | 9 +++++++--\n>>> qemu-seccomp.c | 12 ++++++++++++\n>>> vl.c | 16 ++++++++++++++++\n>>> 4 files changed, 36 insertions(+), 2 deletions(-)\n>>>\n>>> diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\n>>> index 4a9e63c7cd..3ab5fc4f61 100644\n>>> --- a/include/sysemu/seccomp.h\n>>> +++ b/include/sysemu/seccomp.h\n>>> @@ -18,6 +18,7 @@\n>>> #define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n>>> #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1)\n>>> #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2)\n>>> +#define QEMU_SECCOMP_SET_SPAWN (1 << 3)\n>>> \n>>> #include \n>>> \n>>> diff --git a/qemu-options.hx b/qemu-options.hx\n>>> index 5c1b163fb5..2b04b9f170 100644\n>>> --- a/qemu-options.hx\n>>> +++ b/qemu-options.hx\n>>> @@ -4018,6 +4018,7 @@ ETEXI\n>>> \n>>> DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n>>> \"-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\\n\" \\\n>>> + \" [,spawn=allow|deny]\\n\" \\\n>>> \" Enable seccomp mode 2 system call filter (default 'off').\\n\" \\\n>>> \" use 'obsolete' to allow obsolete system calls that are provided\\n\" \\\n>>> \" by the kernel, but typically no longer used by modern\\n\" \\\n>>> @@ -4025,10 +4026,12 @@ DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n>>> \" use 'elevateprivileges' to allow or deny QEMU process to elevate\\n\" \\\n>>> \" its privileges by blacklisting all set*uid|gid system calls.\\n\" \\\n>>> \" The value 'children' will deny set*uid|gid system calls for\\n\" \\\n>>> - \" main QEMU process but will allow forks and execves to run unprivileged\\n\",\n>>> + \" main QEMU process but will allow forks and execves to run unprivileged\\n\" \\\n>>> + \" use 'spawn' to avoid QEMU to spawn new threads or processes by\\n\" \\\n>>> + \" blacklisting *fork and execve\\n\",\n>>> QEMU_ARCH_ALL)\n>>> STEXI\n>>> -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}]\n>>> +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}]\n>>> @findex -sandbox\n>>> Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will\n>>> disable it. The default is 'off'.\n>>> @@ -4037,6 +4040,8 @@ disable it. The default is 'off'.\n>>> Enable Obsolete system calls\n>>> @item elevateprivileges=@var{string}\n>>> Disable set*uid|gid system calls\n>>> +@item spawn=@var{string}\n>>> +Disable *fork and execve\n>>> @end table\n>>> ETEXI\n>>> \n>>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c\n>>> index 2bad16cafb..4c169febf8 100644\n>>> --- a/qemu-seccomp.c\n>>> +++ b/qemu-seccomp.c\n>>> @@ -79,6 +79,10 @@ static const struct QemuSeccompSyscall blacklist[] = {\n>>> { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n>>> { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n>>> { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n>>> + /* spawn */\n>>> + { SCMP_SYS(fork), 8, QEMU_SECCOMP_SET_SPAWN },\n>>> + { SCMP_SYS(vfork), 8, QEMU_SECCOMP_SET_SPAWN },\n>>> + { SCMP_SYS(execve), 8, QEMU_SECCOMP_SET_SPAWN },\n>>> };\n>>> \n>>> \n>>> @@ -109,6 +113,14 @@ int seccomp_start(uint32_t seccomp_opts)\n>>> }\n>>> \n>>> break;\n>>> + case QEMU_SECCOMP_SET_SPAWN:\n>>> + if (seccomp_opts & QEMU_SECCOMP_SET_SPAWN) {\n>>> + break;\n>>> + } else {\n>>> + continue;\n>>> + }\n>>> +\n>>\n>> Remove the above empty line?\n>>\n>> Anyway, it's somewhat ugly that you need a switch-case statement here at\n>> all. Couldn't you simply check it like this:\n>>\n>> \tif (!(seccomp_opts & blacklist[i].set)) {\n>> \t\tcontinue;\n>> \t}\n>> ?\n>>\n>> You then just have to invert the meaning of the\n>> QEMU_SECCOMP_SET_OBSOLETE bit in the second patch, so that this bit is\n>> treated in the same way as the others (i.e. use\n>> uint32_t seccomp_opts = QEMU_SECCOMP_SET_OBSOLETE;\n>> instead of\n>> uint32_t seccomp_opts = 0x00000;\n>> in vl.c in the second patch).\n> \n> That's indeed much better, but perhaps:\n> uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT | QEMU_SECCOMP_SET_OBSOLETE;\n\nRight, the default set should be excluded by default of course, too! :-)\n\n Thomas","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx02.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx02.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=thuth@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpZtc4qyzz9sBd\n\tfor ;\n\tFri, 8 Sep 2017 21:32:40 +1000 (AEST)","from localhost ([::1]:44798 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dqHWY-0003yP-Pq\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 07:32:38 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:53820)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dqHVa-0003QM-Ql\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:31:43 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dqHVW-00050n-18\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:31:38 -0400","from mx1.redhat.com ([209.132.183.28]:56002)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dqHVV-0004zq-O6\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:31:33 -0400","from smtp.corp.redhat.com\n\t(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id ADB45883CE\n\tfor ; Fri, 8 Sep 2017 11:31:32 +0000 (UTC)","from [10.36.116.21] (ovpn-116-21.ams2.redhat.com [10.36.116.21])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id 4CCB36AD06;\n\tFri, 8 Sep 2017 11:31:24 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com ADB45883CE","To":"Eduardo Otubo ","References":"<20170908091027.9104-1-otubo@redhat.com>\n\t<20170908091027.9104-5-otubo@redhat.com>\n\t<2ebb2804-a613-0942-ee9b-aa900093ac98@redhat.com>\n\t<20170908111546.GA13739@vader>","From":"Thomas Huth ","Message-ID":"","Date":"Fri, 8 Sep 2017 13:31:22 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<20170908111546.GA13739@vader>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.15","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.26]);\n\tFri, 08 Sep 2017 11:31:32 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCHv5 4/5] seccomp: add spawn argument to\n\tcommand line","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}}]