Hi On Wed, Aug 22, 2018 at 6:07 PM, Eric Blake <ebl...@redhat.com> wrote: > On 08/22/2018 10:58 AM, Marc-André Lureau wrote: > >>> At this point you might as well not bother using seccomp at all. The >>> thread that is confined merely needs to scribble something into the >>> stack of the unconfined thread and now it can do whatever it wants. >> >> >> Actually, that message is incorrect, it should rather be "not all >> threads will be filtered" (as described in commit message). >> >>> IMHO we need to find a way to get the policy to apply to those other >>> threads. >> >> >> That's what the patch is about ;) > > > In other words, this patch is patching the gaping security hole that already > exists, but... > >>>> +++ b/qemu-options.hx >>>> @@ -3864,6 +3864,8 @@ Disable set*uid|gid system calls >>>> Disable *fork and execve >>>> @item resourcecontrol=@var{string} >>>> Disable process affinity and schedular priority >>>> +@item tsync=@var{bool} >>>> +Apply seccomp filter to all threads (default is auto, and will warn if >>>> fail) >>> >>> >>> IMHO this should never exist, as setting "tsync" to anything other >>> than "yes", is akin to just running without any sandbox. >> >> >> Then we should just fail -sandbox on those systems. > > > ...leaving the backdoor open. Yes, we should instead fix things to hard > fail when -sandbox cannot fully protect the process, rather than adding a > tsync=off backdoor to permit execution in spite of the insecurity.
Ok, -sandbox will now require libseccomp 2.2.0 (not available in Debian oldstable - so it will fail at configure time) and kernel >= 3.17 (error during start). If that sounds ok, I'll update the series.