subject:"\[libvirt\] \[PATCHv2 4\/4\] qemu\: deny privilege elevation and spawn in seccomp"

Re: [libvirt] [PATCHv2 4/4] qemu: deny privilege elevation and spawn in seccomp

2018-04-16 Thread Daniel P . Berrangé

On Tue, Apr 10, 2018 at 04:49:42PM +0200, Ján Tomko wrote: > If QEMU uses a seccomp blacklist (since 2.11), -sandbox on > no longer tries to whitelist all the calls, but uses sets > of blacklists: > default (always blacklisted with -sandbox on) > obsolete (defaults to deny) > elevateprivileges

Re: [libvirt] [PATCHv2 4/4] qemu: deny privilege elevation and spawn in seccomp

2018-04-15 Thread Daniel P . Berrangé

On Fri, Apr 13, 2018 at 10:08:34AM -0400, John Ferlan wrote: > > > On 04/10/2018 10:49 AM, Ján Tomko wrote: > > If QEMU uses a seccomp blacklist (since 2.11), -sandbox on > > no longer tries to whitelist all the calls, but uses sets > > of blacklists: > > default (always blacklisted with

Re: [libvirt] [PATCHv2 4/4] qemu: deny privilege elevation and spawn in seccomp

2018-04-13 Thread John Ferlan

On 04/10/2018 10:49 AM, Ján Tomko wrote: > If QEMU uses a seccomp blacklist (since 2.11), -sandbox on > no longer tries to whitelist all the calls, but uses sets > of blacklists: > default (always blacklisted with -sandbox on) > obsolete (defaults to deny) > elevateprivileges (setuid & co,

[libvirt] [PATCHv2 4/4] qemu: deny privilege elevation and spawn in seccomp

2018-04-10 Thread Ján Tomko

If QEMU uses a seccomp blacklist (since 2.11), -sandbox on no longer tries to whitelist all the calls, but uses sets of blacklists: default (always blacklisted with -sandbox on) obsolete (defaults to deny) elevateprivileges (setuid & co, default: allow) spawn (fork & execve, default: allow)