> I've suggested this in the past but to my knowledge no has done any work in > this direction, including myself. Despite the lack of progress, I still > think this is a very worthwhile idea.
Which is exactly why I think a configuration file would be the best option instead of --enable-syscalls=foo,bar,baz. It would allow someone to easily customize their policy without needing to create a patch, or wait on QEMU developers to do work on it. The configuration file could be as simple as: shmctl arg0 eq IPC_PRIVATE and arg2 eq IPC_CREAT|0777 or IPC_CREAT|0600 close arg0 le 13 and arg0 ge 4 ioctl arg1 ne EVIL_IOCTL or ANOTHER_EVIL_ONE or MORE_EVIL_IOCTLS Or something like: [shmctl] A0 EQ "IPC_PRIVATE" A2 EQ "IPC_CREAT|0777", "IPC_CREAT|0600" [close] A0 LE 13 A0 GE 4 [ioctl] A1 NE "EVIL_IOCTL", "ANOTHER_EVIL_ONE", "MORE_EVIL_IOCTLS" And that would be the equivalent of hardcoding the following in the sandbox file. Honestly, I think that the worry that admins will shoot themselves in the foot is unfounded. Unless they know at least basic strace, QEMU will simply get killed. That is of course if it is made such that it can only be used to increase the strictness of already existing filtered syscalls, not reduce the security by adding new syscalls to the argument-less whitelist. seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2, SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE), SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0777)); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2, SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE), SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0600)); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 1, SCMP_A0(SCMP_CMP_LE, 13), SCMP_A0(SCMP_CMP_GE, 4)); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_NE, EVIL_IOCTL), SCMP_A1(SCMP_CMP_NE, ANOTHER_EVIL_ONE), SCMP_A1(SCMP_CMP_NE, MORE_EVIL_IOCTLS)); I think the best part of that would be that it would be much easier for the common VM setups to have pre-made policies, so users could include "filesystem_access.scmp" and "remote_vnc.scmp" and "usermode_network.scmp" inside /etc/qemu/seccomp.d for a system where they will be using QEMU with usermode networking, remote VNC, and mounting a shared directory. That would be significantly easier to distribute and update than it would be to create new hardcoded code in qemu-seccomp.c. If I find time to make a patch which would do this, would it be likely accepted or is there a policy against such a thing?