Re: [Qemu-devel] [PATCHv6 4/5] seccomp: add spawn argument to command line
On Fri, Sep 08, 2017 at 01:44:06PM +0200, Eduardo Otubo wrote: > This patch adds [,spawn=deny] argument to `-sandbox on' option. It > blacklists fork and execve system calls, avoiding Qemu to spawn new > threads or processes. > > Signed-off-by: Eduardo Otubo> --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 9 +++-- > qemu-seccomp.c | 4 > vl.c | 16 > 4 files changed, 28 insertions(+), 2 deletions(-) Reviewed-by: Daniel P. Berrange Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [Qemu-devel] [PATCHv6 4/5] seccomp: add spawn argument to command line
On 08.09.2017 13:44, Eduardo Otubo wrote: > This patch adds [,spawn=deny] argument to `-sandbox on' option. It > blacklists fork and execve system calls, avoiding Qemu to spawn new > threads or processes. > > Signed-off-by: Eduardo Otubo> --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 9 +++-- > qemu-seccomp.c | 4 > vl.c | 16 > 4 files changed, 28 insertions(+), 2 deletions(-) > > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > index 4a9e63c7cd..3ab5fc4f61 100644 > --- a/include/sysemu/seccomp.h > +++ b/include/sysemu/seccomp.h > @@ -18,6 +18,7 @@ > #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) > #define QEMU_SECCOMP_SET_OBSOLETE(1 << 1) > #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) > +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) > > #include > > diff --git a/qemu-options.hx b/qemu-options.hx > index 5c1b163fb5..2b04b9f170 100644 > --- a/qemu-options.hx > +++ b/qemu-options.hx > @@ -4018,6 +4018,7 @@ ETEXI > > DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > "-sandbox > on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ > +" [,spawn=allow|deny]\n" \ > "Enable seccomp mode 2 system call filter (default > 'off').\n" \ > "use 'obsolete' to allow obsolete system calls that are > provided\n" \ > "by the kernel, but typically no longer used by > modern\n" \ > @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > "use 'elevateprivileges' to allow or deny QEMU process > to elevate\n" \ > "its privileges by blacklisting all set*uid|gid > system calls.\n" \ > "The value 'children' will deny set*uid|gid system > calls for\n" \ > -"main QEMU process but will allow forks and execves > to run unprivileged\n", > +"main QEMU process but will allow forks and execves > to run unprivileged\n" \ > +"use 'spawn' to avoid QEMU to spawn new threads or > processes by\n" \ > +" blacklisting *fork and execve\n", > QEMU_ARCH_ALL) > STEXI > -@item -sandbox > @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] > +@item -sandbox > @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] > @findex -sandbox > Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering > and 'off' will > disable it. The default is 'off'. > @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. > Enable Obsolete system calls > @item elevateprivileges=@var{string} > Disable set*uid|gid system calls > +@item spawn=@var{string} > +Disable *fork and execve > @end table > ETEXI > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index 978d66bd28..f3878a5e29 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -78,6 +78,10 @@ static const struct QemuSeccompSyscall blacklist[] = { > { SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED }, > { SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED }, > { SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED }, > +/* spawn */ > +{ SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN }, > +{ SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN }, > +{ SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN }, > }; > > > diff --git a/vl.c b/vl.c > index ff3b5c766a..369e3411b1 100644 > --- a/vl.c > +++ b/vl.c > @@ -280,6 +280,10 @@ static QemuOptsList qemu_sandbox_opts = { > .name = "elevateprivileges", > .type = QEMU_OPT_STRING, > }, > +{ > +.name = "spawn", > +.type = QEMU_OPT_STRING, > +}, > { /* end of list */ } > }, > }; > @@ -1082,6 +1086,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, > Error **errp) > } > } > > +value = qemu_opt_get(opts, "spawn"); > +if (value) { > +if (g_str_equal(value, "deny")) { > +seccomp_opts |= QEMU_SECCOMP_SET_SPAWN; > +} else if (g_str_equal(value, "allow")) { > +/* default value */ > +} else { > +error_report("invalid argument for spawn"); > +return -1; > +} > +} > + > if (seccomp_start(seccomp_opts) < 0) { > error_report("failed to install seccomp syscall filter " > "in the kernel"); Reviewed-by: Thomas Huth
[Qemu-devel] [PATCHv6 4/5] seccomp: add spawn argument to command line
This patch adds [,spawn=deny] argument to `-sandbox on' option. It blacklists fork and execve system calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo--- include/sysemu/seccomp.h | 1 + qemu-options.hx | 9 +++-- qemu-seccomp.c | 4 vl.c | 16 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h index 4a9e63c7cd..3ab5fc4f61 100644 --- a/include/sysemu/seccomp.h +++ b/include/sysemu/seccomp.h @@ -18,6 +18,7 @@ #define QEMU_SECCOMP_SET_DEFAULT (1 << 0) #define QEMU_SECCOMP_SET_OBSOLETE(1 << 1) #define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2) +#define QEMU_SECCOMP_SET_SPAWN (1 << 3) #include diff --git a/qemu-options.hx b/qemu-options.hx index 5c1b163fb5..2b04b9f170 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4018,6 +4018,7 @@ ETEXI DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\n" \ +" [,spawn=allow|deny]\n" \ "Enable seccomp mode 2 system call filter (default 'off').\n" \ "use 'obsolete' to allow obsolete system calls that are provided\n" \ "by the kernel, but typically no longer used by modern\n" \ @@ -4025,10 +4026,12 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ "use 'elevateprivileges' to allow or deny QEMU process to elevate\n" \ "its privileges by blacklisting all set*uid|gid system calls.\n" \ "The value 'children' will deny set*uid|gid system calls for\n" \ -"main QEMU process but will allow forks and execves to run unprivileged\n", +"main QEMU process but will allow forks and execves to run unprivileged\n" \ +"use 'spawn' to avoid QEMU to spawn new threads or processes by\n" \ +" blacklisting *fork and execve\n", QEMU_ARCH_ALL) STEXI -@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}] +@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}] @findex -sandbox Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will disable it. The default is 'off'. @@ -4037,6 +4040,8 @@ disable it. The default is 'off'. Enable Obsolete system calls @item elevateprivileges=@var{string} Disable set*uid|gid system calls +@item spawn=@var{string} +Disable *fork and execve @end table ETEXI diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 978d66bd28..f3878a5e29 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -78,6 +78,10 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED }, { SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED }, +/* spawn */ +{ SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN }, +{ SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN }, +{ SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN }, }; diff --git a/vl.c b/vl.c index ff3b5c766a..369e3411b1 100644 --- a/vl.c +++ b/vl.c @@ -280,6 +280,10 @@ static QemuOptsList qemu_sandbox_opts = { .name = "elevateprivileges", .type = QEMU_OPT_STRING, }, +{ +.name = "spawn", +.type = QEMU_OPT_STRING, +}, { /* end of list */ } }, }; @@ -1082,6 +1086,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } } +value = qemu_opt_get(opts, "spawn"); +if (value) { +if (g_str_equal(value, "deny")) { +seccomp_opts |= QEMU_SECCOMP_SET_SPAWN; +} else if (g_str_equal(value, "allow")) { +/* default value */ +} else { +error_report("invalid argument for spawn"); +return -1; +} +} + if (seccomp_start(seccomp_opts) < 0) { error_report("failed to install seccomp syscall filter " "in the kernel"); -- 2.13.5