On Monday, June 18, 2012 02:55:35 PM Daniel P. Berrange wrote: > On Mon, Jun 18, 2012 at 09:52:44AM -0400, Paul Moore wrote: > > On Monday, June 18, 2012 09:31:03 AM Daniel P. Berrange wrote: > > > On Fri, Jun 15, 2012 at 05:02:19PM -0400, Paul Moore wrote: > > > > On Friday, June 15, 2012 07:06:10 PM Blue Swirl wrote: > > > > > I think allowing execve() would render seccomp pretty much useless. > > > > > > > > Not necessarily. > > > > > > > > I'll agree that it does seem a bit odd to allow execve(), but there is > > > > still value in enabling seccomp to disable potentially > > > > buggy/exploitable > > > > syscalls. Let's not forget that we have over 300 syscalls on x86_64, > > > > not > > > > including the 32 bit versions, and even if we add all of the new > > > > syscalls > > > > suggested in this thread we are still talking about a small subset of > > > > syscalls. As far as security goes, the old adage of "less is more" > > > > applies. > > > > > > I can sort of see this argument, but *only* if the QEMU process is being > > > run under a dedicated, fully unprivileged (from a DAC pov) user, > > > completely > > > separate from anything else on the system. > > > > > > Or, of course, for a QEMU already confined by SELinux. > > > > Agreed ... and considering at least one major distribution takes this > > approach it seems like reasonable functionality to me. Confining QEMU, > > either through DAC and/or MAC, when faced with potentially malicious > > guests is just good sense. > > Good, I'm not missing anything then. I'd suggest that future iterations > of these patches explicitly mention the deployment scenarios in which > this technology is able to offer increases security, and also describe > the scenarios where it will not improve things.
Sounds like a reasonable request to me. -- paul moore security and virtualization @ redhat
