On Tue, Mar 14, 2017 at 12:47:10PM +0100, Paolo Bonzini wrote: > > > On 14/03/2017 12:32, Eduardo Otubo wrote: > > This patch introduces the new argument [,elevateprivileges=deny] to the > > `-sandbox on'. It avoids Qemu process to elevate its privileges by > > blacklisting all set*uid|gid system calls > > > > Signed-off-by: Eduardo Otubo <[email protected]> > > --- > > include/sysemu/seccomp.h | 1 + > > qemu-options.hx | 8 ++++++-- > > qemu-seccomp.c | 28 ++++++++++++++++++++++++++++ > > vl.c | 11 +++++++++++ > > 4 files changed, 46 insertions(+), 2 deletions(-) > > > > diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h > > index 7a7bde246b..e6e78d85ce 100644 > > --- a/include/sysemu/seccomp.h > > +++ b/include/sysemu/seccomp.h > > @@ -16,6 +16,7 @@ > > #define QEMU_SECCOMP_H > > > > #define OBSOLETE 0x0001 > > +#define PRIVILEGED 0x0010 > > > > #include <seccomp.h> > > > > diff --git a/qemu-options.hx b/qemu-options.hx > > index 1403d0c85f..47018db5aa 100644 > > --- a/qemu-options.hx > > +++ b/qemu-options.hx > > @@ -3732,8 +3732,10 @@ Old param mode (ARM only). > > ETEXI > > > > DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > > - "-sandbox on[,obsolete=allow] Enable seccomp mode 2 system call > > filter (default 'off').\n" \ > > - " obsolete: Allow obsolete system calls", > > + "-sandbox on[,obsolete=allow][,elevateprivileges=deny]\n" \ > > + " Enable seccomp mode 2 system call > > filter (default 'off').\n" \ > > + " obsolete: Allow obsolete system > > calls\n" \ > > + " elevateprivileges: avoids Qemu process > > to elevate its privileges by blacklisting all set*uid|gid system calls", > > Why allow these by default?
The goal is that '-sandbox on' should not break *any* QEMU feature. It needs to be a safe thing that people can unconditionally turn on without thinking about it. The QEMU bridge helper requires setuid privs, hence elevated privileges needs to be permitted by default. Similarly I could see the qemu ifup scripts, or migrate 'exec' command wanting to elevate privs via setuid binaries if QEMU was running unprivileged. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
