{"id":808632,"url":"http://patchwork.ozlabs.org/api/1.0/patches/808632/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20170901105818.31956-7-otubo@redhat.com>","date":"2017-09-01T10:58:18","name":"[PATCHv4,6/6] seccomp: adding documentation to new seccomp model","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"e14454cfbaf703d63e61e7003f80364e03e474d3","submitter":{"id":71779,"url":"http://patchwork.ozlabs.org/api/1.0/people/71779/?format=json","name":"Eduardo Otubo","email":"otubo@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-7-otubo@redhat.com/mbox/","series":[{"id":999,"url":"http://patchwork.ozlabs.org/api/1.0/series/999/?format=json","date":"2017-09-01T10:58:12","name":"seccomp: feature refactoring","version":1,"mbox":"http://patchwork.ozlabs.org/series/999/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/808632/checks/","tags":{},"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)","ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xkGbQ4Wdzz9sMN\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri,  1 Sep 2017 21:04:34 +1000 (AEST)","from localhost ([::1]:35209 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dnjkW-0004e6-M8\n\tfor incoming@patchwork.ozlabs.org; Fri, 01 Sep 2017 07:04:32 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:51335)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjfB-0000Kk-1B\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:59:10 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjfA-0001Rg-5C\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:59:01 -0400","from mx1.redhat.com ([209.132.183.28]:45910)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <otubo@redhat.com>) id 1dnjf9-0001RK-V6\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:59:00 -0400","from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id D8B49C047B9B\n\tfor <qemu-devel@nongnu.org>; Fri,  1 Sep 2017 10:58:58 +0000 (UTC)","from vader.redhat.com (ovpn-117-156.ams2.redhat.com\n\t[10.36.117.156])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 7002D7E5D2;\n\tFri,  1 Sep 2017 10:58:57 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com D8B49C047B9B","From":"Eduardo Otubo <otubo@redhat.com>","To":"qemu-devel@nongnu.org","Date":"Fri,  1 Sep 2017 12:58:18 +0200","Message-Id":"<20170901105818.31956-7-otubo@redhat.com>","In-Reply-To":"<20170901105818.31956-1-otubo@redhat.com>","References":"<20170901105818.31956-1-otubo@redhat.com>","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.12","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.31]);\n\tFri, 01 Sep 2017 10:58:59 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"[Qemu-devel] [PATCHv4 6/6] seccomp: adding documentation to new\n\tseccomp model","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"<qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<http://lists.nongnu.org/archive/html/qemu-devel/>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Cc":"thuth@redhat.com","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>"},"content":"Adding new documentation under docs/ to describe every one and each new\noption added by the refactoring patchset.\n\nSigned-off-by: Eduardo Otubo <otubo@redhat.com>\n---\n docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++\n 1 file changed, 31 insertions(+)\n create mode 100644 docs/seccomp.txt","diff":"diff --git a/docs/seccomp.txt b/docs/seccomp.txt\nnew file mode 100644\nindex 0000000000..a5eca85a9b\n--- /dev/null\n+++ b/docs/seccomp.txt\n@@ -0,0 +1,31 @@\n+QEMU Seccomp system call filter\n+===============================\n+\n+Starting from QEMU version 2.11, the seccomp filter does not work as a\n+whitelist but as a blacklist instead. This method allows safer deploys since\n+only the strictly forbidden system calls will be black-listed and the\n+possibility of breaking any workload is close to zero.\n+\n+The default option (-sandbox on) has a slightly looser security though and the\n+reason is that it shouldn't break any backwards compatibility with previous\n+deploys and command lines already running. But if the intent is to have a\n+better security from this version on, one should make use of the following\n+additional options properly:\n+\n+* obsolete=allow|deny: It allows Qemu to run safely on old system that still\n+  relies on old system calls.\n+\n+* elevateprivileges=allow|deny|children: It allows or denies Qemu process\n+  to elevate its privileges by blacklisting all set*uid|gid system calls. The\n+  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers\n+  (forks and execs) to run unprivileged.\n+\n+* spawn=allow|deny: It blacklists fork and execve system calls, avoiding QEMU to\n+  spawn new threads or processes.\n+\n+* resourcecontrol=allow|deny: It blacklists all process affinity and scheduler\n+  priority system calls to avoid that the process can increase its amount of\n+  allowed resource consumption.\n+\n+--\n+Eduardo Otubo <otubo@redhat.com>\n","prefixes":["PATCHv4","6/6"]}