{"id":808627,"url":"http://patchwork.ozlabs.org/api/1.0/patches/808627/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20170901105818.31956-4-otubo@redhat.com>","date":"2017-09-01T10:58:15","name":"[PATCHv4,3/6] seccomp: add elevateprivileges argument to command line","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"19d02e79c0e1c27ca35416232d38073787379f10","submitter":{"id":71779,"url":"http://patchwork.ozlabs.org/api/1.0/people/71779/?format=json","name":"Eduardo Otubo","email":"otubo@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-4-otubo@redhat.com/mbox/","series":[{"id":999,"url":"http://patchwork.ozlabs.org/api/1.0/series/999/?format=json","date":"2017-09-01T10:58:12","name":"seccomp: feature refactoring","version":1,"mbox":"http://patchwork.ozlabs.org/series/999/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/808627/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx06.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xkGTY4tbMz9s7p\n\tfor ;\n\tFri, 1 Sep 2017 20:59:29 +1000 (AEST)","from localhost ([::1]:35133 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dnjfb-0000Di-NX\n\tfor incoming@patchwork.ozlabs.org; Fri, 01 Sep 2017 06:59:27 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:51249)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dnjey-000089-MJ\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:53 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dnjex-0001Gh-DL\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:48 -0400","from mx1.redhat.com ([209.132.183.28]:53852)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dnjex-0001E4-4Y\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:47 -0400","from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 29F52356F4\n\tfor ; Fri, 1 Sep 2017 10:58:46 +0000 (UTC)","from vader.redhat.com (ovpn-117-156.ams2.redhat.com\n\t[10.36.117.156])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id E00EF7E8EB;\n\tFri, 1 Sep 2017 10:58:42 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 29F52356F4","From":"Eduardo Otubo ","To":"qemu-devel@nongnu.org","Date":"Fri, 1 Sep 2017 12:58:15 +0200","Message-Id":"<20170901105818.31956-4-otubo@redhat.com>","In-Reply-To":"<20170901105818.31956-1-otubo@redhat.com>","References":"<20170901105818.31956-1-otubo@redhat.com>","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.12","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.30]);\n\tFri, 01 Sep 2017 10:58:46 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"[Qemu-devel] [PATCHv4 3/6] seccomp: add elevateprivileges argument\n\tto command line","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"thuth@redhat.com","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"},"content":"This patch introduces the new argument\n[,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows\nor denies Qemu process to elevate its privileges by blacklisting all\nset*uid|gid system calls. The 'children' option will let forks and\nexecves run unprivileged.\n\nSigned-off-by: Eduardo Otubo \n---\n include/sysemu/seccomp.h | 1 +\n qemu-options.hx | 12 +++++++++---\n qemu-seccomp.c | 29 ++++++++++++++++++-----------\n vl.c | 27 +++++++++++++++++++++++++++\n 4 files changed, 55 insertions(+), 14 deletions(-)","diff":"diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\nindex 215138a372..4a9e63c7cd 100644\n--- a/include/sysemu/seccomp.h\n+++ b/include/sysemu/seccomp.h\n@@ -17,6 +17,7 @@\n \n #define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n #define QEMU_SECCOMP_SET_OBSOLETE (1 << 1)\n+#define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2)\n \n #include \n \ndiff --git a/qemu-options.hx b/qemu-options.hx\nindex 72150c6b84..5c1b163fb5 100644\n--- a/qemu-options.hx\n+++ b/qemu-options.hx\n@@ -4017,20 +4017,26 @@ Old param mode (ARM only).\n ETEXI\n \n DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n- \"-sandbox on[,obsolete=allow|deny]\\n\" \\\n+ \"-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\\n\" \\\n \" Enable seccomp mode 2 system call filter (default 'off').\\n\" \\\n \" use 'obsolete' to allow obsolete system calls that are provided\\n\" \\\n \" by the kernel, but typically no longer used by modern\\n\" \\\n- \" C library implementations.\\n\",\n+ \" C library implementations.\\n\" \\\n+ \" use 'elevateprivileges' to allow or deny QEMU process to elevate\\n\" \\\n+ \" its privileges by blacklisting all set*uid|gid system calls.\\n\" \\\n+ \" The value 'children' will deny set*uid|gid system calls for\\n\" \\\n+ \" main QEMU process but will allow forks and execves to run unprivileged\\n\",\n QEMU_ARCH_ALL)\n STEXI\n-@item -sandbox @var{arg}[,obsolete=@var{string}]\n+@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}]\n @findex -sandbox\n Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will\n disable it. The default is 'off'.\n @table @option\n @item obsolete=@var{string}\n Enable Obsolete system calls\n+@item elevateprivileges=@var{string}\n+Disable set*uid|gid system calls\n @end table\n ETEXI\n \ndiff --git a/qemu-seccomp.c b/qemu-seccomp.c\nindex 3e3f15cc08..16c8c20132 100644\n--- a/qemu-seccomp.c\n+++ b/qemu-seccomp.c\n@@ -57,17 +57,16 @@ static const struct QemuSeccompSyscall blacklist[] = {\n { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT },\n { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT },\n /* obsolete */\n- { SCMP_SYS(readdir), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(_sysctl), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(bdflush), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(create_module), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(get_kernel_syms), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(query_module), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(sgetmask), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(ssetmask), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(sysfs), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(uselib), 2, QEMU_SECCOMP_SET_OBSOLETE },\n- { SCMP_SYS(ustat), 2, QEMU_SECCOMP_SET_OBSOLETE },\n+ { SCMP_SYS(setuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setpgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setsid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setreuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setregid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setresuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setresgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setfsuid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n+ { SCMP_SYS(setfsgid), 4, QEMU_SECCOMP_SET_PRIVILEGED },\n };\n \n \n@@ -93,6 +92,14 @@ int seccomp_start(uint32_t seccomp_opts)\n }\n \n break;\n+ case QEMU_SECCOMP_SET_PRIVILEGED:\n+ if (seccomp_opts & QEMU_SECCOMP_SET_PRIVILEGED) {\n+ goto add_syscall;\n+ } else {\n+ continue;\n+ }\n+\n+ break;\n default:\n goto add_syscall;\n }\ndiff --git a/vl.c b/vl.c\nindex ca267f9918..1d44b05772 100644\n--- a/vl.c\n+++ b/vl.c\n@@ -29,6 +29,7 @@\n \n #ifdef CONFIG_SECCOMP\n #include \"sysemu/seccomp.h\"\n+#include \"sys/prctl.h\"\n #endif\n \n #if defined(CONFIG_VDE)\n@@ -275,6 +276,10 @@ static QemuOptsList qemu_sandbox_opts = {\n .name = \"obsolete\",\n .type = QEMU_OPT_STRING,\n },\n+ {\n+ .name = \"elevateprivileges\",\n+ .type = QEMU_OPT_STRING,\n+ },\n { /* end of list */ }\n },\n };\n@@ -1052,6 +1057,28 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n \t }\n }\n \n+ value = qemu_opt_get(opts, \"elevateprivileges\");\n+ if (value) {\n+ if (strcmp(value, \"deny\") == 0) {\n+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;\n+ } else if (strcmp(value, \"children\") == 0) {\n+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;\n+\n+ /* calling prctl directly because we're\n+ * not sure if host has CAP_SYS_ADMIN set*/\n+ if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {\n+ error_report(\"failed to set no_new_privs \"\n+ \"aborting\");\n+ return -1;\n+ }\n+ } else if (strcmp(value, \"allow\") == 0) {\n+ /* default value */\n+ } else {\n+ error_report(\"invalid argument for elevateprivileges\");\n+ return -1;\n+ }\n+ }\n+\n if (seccomp_start(seccomp_opts) < 0) {\n error_report(\"failed to install seccomp syscall filter \"\n \"in the kernel\");\n","prefixes":["PATCHv4","3/6"]}