[v3,1/6] seccomp: changing from whitelist to blacklist
diff mbox

Message ID 20170728121040.631-2-otubo@redhat.com
State New
Headers show

Commit Message

Eduardo Otubo July 28, 2017, 12:10 p.m. UTC
This patch changes the default behavior of the seccomp filter from
whitelist to blacklist. By default now all system calls are allowed and
a small black list of definitely forbidden ones was created.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
---
 qemu-seccomp.c | 256 +++++++--------------------------------------------------
 vl.c           |   5 +-
 2 files changed, 32 insertions(+), 229 deletions(-)

Comments

Daniel P. Berrangé Aug. 2, 2017, 12:25 p.m. UTC | #1
On Fri, Jul 28, 2017 at 02:10:35PM +0200, Eduardo Otubo wrote:
> This patch changes the default behavior of the seccomp filter from
> whitelist to blacklist. By default now all system calls are allowed and
> a small black list of definitely forbidden ones was created.
> 
> Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> ---
>  qemu-seccomp.c | 256 +++++++--------------------------------------------------
>  vl.c           |   5 +-
>  2 files changed, 32 insertions(+), 229 deletions(-)
> 
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index df75d9c471..f8877b07b5 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -31,229 +31,29 @@ struct QemuSeccompSyscall {
>      uint8_t priority;
>  };
>  
> -static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> -    { SCMP_SYS(timer_settime), 255 },
> -    { SCMP_SYS(timer_gettime), 254 },
> -    { SCMP_SYS(futex), 253 },
> -    { SCMP_SYS(select), 252 },
> -    { SCMP_SYS(recvfrom), 251 },
> -    { SCMP_SYS(sendto), 250 },
> -    { SCMP_SYS(socketcall), 250 },
> -    { SCMP_SYS(read), 249 },
> -    { SCMP_SYS(io_submit), 249 },
> -    { SCMP_SYS(brk), 248 },
> -    { SCMP_SYS(clone), 247 },
> -    { SCMP_SYS(mmap), 247 },
> -    { SCMP_SYS(mprotect), 246 },
> -    { SCMP_SYS(execve), 245 },
> -    { SCMP_SYS(open), 245 },
> -    { SCMP_SYS(ioctl), 245 },
> -    { SCMP_SYS(socket), 245 },
> -    { SCMP_SYS(setsockopt), 245 },
> -    { SCMP_SYS(recvmsg), 245 },
> -    { SCMP_SYS(sendmsg), 245 },
> -    { SCMP_SYS(accept), 245 },
> -    { SCMP_SYS(connect), 245 },
> -    { SCMP_SYS(socketpair), 245 },
> -    { SCMP_SYS(bind), 245 },
> -    { SCMP_SYS(listen), 245 },
> -    { SCMP_SYS(semget), 245 },
> -    { SCMP_SYS(ipc), 245 },
> -    { SCMP_SYS(gettimeofday), 245 },
> -    { SCMP_SYS(readlink), 245 },
> -    { SCMP_SYS(access), 245 },
> -    { SCMP_SYS(prctl), 245 },
> -    { SCMP_SYS(signalfd), 245 },
> -    { SCMP_SYS(getrlimit), 245 },
> -    { SCMP_SYS(getrusage), 245 },
> -    { SCMP_SYS(set_tid_address), 245 },
> -    { SCMP_SYS(statfs), 245 },
> -    { SCMP_SYS(unlink), 245 },
> -    { SCMP_SYS(wait4), 245 },
> -    { SCMP_SYS(fcntl64), 245 },
> -    { SCMP_SYS(fstat64), 245 },
> -    { SCMP_SYS(stat64), 245 },
> -    { SCMP_SYS(getgid32), 245 },
> -    { SCMP_SYS(getegid32), 245 },
> -    { SCMP_SYS(getuid32), 245 },
> -    { SCMP_SYS(geteuid32), 245 },
> -    { SCMP_SYS(sigreturn), 245 },
> -    { SCMP_SYS(_newselect), 245 },
> -    { SCMP_SYS(_llseek), 245 },
> -    { SCMP_SYS(mmap2), 245 },
> -    { SCMP_SYS(sigprocmask), 245 },
> -    { SCMP_SYS(sched_getparam), 245 },
> -    { SCMP_SYS(sched_getscheduler), 245 },
> -    { SCMP_SYS(fstat), 245 },
> -    { SCMP_SYS(clock_getres), 245 },
> -    { SCMP_SYS(sched_get_priority_min), 245 },
> -    { SCMP_SYS(sched_get_priority_max), 245 },
> -    { SCMP_SYS(stat), 245 },
> -    { SCMP_SYS(uname), 245 },
> -    { SCMP_SYS(eventfd2), 245 },
> -    { SCMP_SYS(io_getevents), 245 },
> -    { SCMP_SYS(dup), 245 },
> -    { SCMP_SYS(dup2), 245 },
> -    { SCMP_SYS(dup3), 245 },
> -    { SCMP_SYS(gettid), 245 },
> -    { SCMP_SYS(getgid), 245 },
> -    { SCMP_SYS(getegid), 245 },
> -    { SCMP_SYS(getuid), 245 },
> -    { SCMP_SYS(geteuid), 245 },
> -    { SCMP_SYS(timer_create), 245 },
> -    { SCMP_SYS(times), 245 },
> -    { SCMP_SYS(exit), 245 },
> -    { SCMP_SYS(clock_gettime), 245 },
> -    { SCMP_SYS(time), 245 },
> -    { SCMP_SYS(restart_syscall), 245 },
> -    { SCMP_SYS(pwrite64), 245 },
> -    { SCMP_SYS(nanosleep), 245 },
> -    { SCMP_SYS(chown), 245 },
> -    { SCMP_SYS(openat), 245 },
> -    { SCMP_SYS(getdents), 245 },
> -    { SCMP_SYS(timer_delete), 245 },
> -    { SCMP_SYS(exit_group), 245 },
> -    { SCMP_SYS(rt_sigreturn), 245 },
> -    { SCMP_SYS(sync), 245 },
> -    { SCMP_SYS(pread64), 245 },
> -    { SCMP_SYS(madvise), 245 },
> -    { SCMP_SYS(set_robust_list), 245 },
> -    { SCMP_SYS(lseek), 245 },
> -    { SCMP_SYS(pselect6), 245 },
> -    { SCMP_SYS(fork), 245 },
> -    { SCMP_SYS(rt_sigprocmask), 245 },
> -    { SCMP_SYS(write), 244 },
> -    { SCMP_SYS(fcntl), 243 },
> -    { SCMP_SYS(tgkill), 242 },
> -    { SCMP_SYS(kill), 242 },
> -    { SCMP_SYS(rt_sigaction), 242 },
> -    { SCMP_SYS(pipe2), 242 },
> -    { SCMP_SYS(munmap), 242 },
> -    { SCMP_SYS(mremap), 242 },
> -    { SCMP_SYS(fdatasync), 242 },
> -    { SCMP_SYS(close), 242 },
> -    { SCMP_SYS(rt_sigpending), 242 },
> -    { SCMP_SYS(rt_sigtimedwait), 242 },
> -    { SCMP_SYS(readv), 242 },
> -    { SCMP_SYS(writev), 242 },
> -    { SCMP_SYS(preadv), 242 },
> -    { SCMP_SYS(pwritev), 242 },
> -    { SCMP_SYS(setrlimit), 242 },
> -    { SCMP_SYS(ftruncate), 242 },
> -    { SCMP_SYS(lstat), 242 },
> -    { SCMP_SYS(pipe), 242 },
> -    { SCMP_SYS(umask), 242 },
> -    { SCMP_SYS(chdir), 242 },
> -    { SCMP_SYS(setitimer), 242 },
> -    { SCMP_SYS(setsid), 242 },
> -    { SCMP_SYS(poll), 242 },
> -    { SCMP_SYS(epoll_create), 242 },
> -    { SCMP_SYS(epoll_ctl), 242 },
> -    { SCMP_SYS(epoll_wait), 242 },
> -    { SCMP_SYS(waitpid), 242 },
> -    { SCMP_SYS(getsockname), 242 },
> -    { SCMP_SYS(getpeername), 242 },
> -    { SCMP_SYS(accept4), 242 },
> -    { SCMP_SYS(timerfd_settime), 242 },
> -    { SCMP_SYS(newfstatat), 241 },
> -    { SCMP_SYS(shutdown), 241 },
> -    { SCMP_SYS(getsockopt), 241 },
> -    { SCMP_SYS(semop), 241 },
> -    { SCMP_SYS(semtimedop), 241 },
> -    { SCMP_SYS(epoll_ctl_old), 241 },
> -    { SCMP_SYS(epoll_wait_old), 241 },
> -    { SCMP_SYS(epoll_pwait), 241 },
> -    { SCMP_SYS(epoll_create1), 241 },
> -    { SCMP_SYS(ppoll), 241 },
> -    { SCMP_SYS(creat), 241 },
> -    { SCMP_SYS(link), 241 },
> -    { SCMP_SYS(getpid), 241 },
> -    { SCMP_SYS(getppid), 241 },
> -    { SCMP_SYS(getpgrp), 241 },
> -    { SCMP_SYS(getpgid), 241 },
> -    { SCMP_SYS(getsid), 241 },
> -    { SCMP_SYS(getdents64), 241 },
> -    { SCMP_SYS(getresuid), 241 },
> -    { SCMP_SYS(getresgid), 241 },
> -    { SCMP_SYS(getgroups), 241 },
> -    { SCMP_SYS(getresuid32), 241 },
> -    { SCMP_SYS(getresgid32), 241 },
> -    { SCMP_SYS(getgroups32), 241 },
> -    { SCMP_SYS(signal), 241 },
> -    { SCMP_SYS(sigaction), 241 },
> -    { SCMP_SYS(sigsuspend), 241 },
> -    { SCMP_SYS(sigpending), 241 },
> -    { SCMP_SYS(truncate64), 241 },
> -    { SCMP_SYS(ftruncate64), 241 },
> -    { SCMP_SYS(fchown32), 241 },
> -    { SCMP_SYS(chown32), 241 },
> -    { SCMP_SYS(lchown32), 241 },
> -    { SCMP_SYS(statfs64), 241 },
> -    { SCMP_SYS(fstatfs64), 241 },
> -    { SCMP_SYS(fstatat64), 241 },
> -    { SCMP_SYS(lstat64), 241 },
> -    { SCMP_SYS(sendfile64), 241 },
> -    { SCMP_SYS(ugetrlimit), 241 },
> -    { SCMP_SYS(alarm), 241 },
> -    { SCMP_SYS(rt_sigsuspend), 241 },
> -    { SCMP_SYS(rt_sigqueueinfo), 241 },
> -    { SCMP_SYS(rt_tgsigqueueinfo), 241 },
> -    { SCMP_SYS(sigaltstack), 241 },
> -    { SCMP_SYS(signalfd4), 241 },
> -    { SCMP_SYS(truncate), 241 },
> -    { SCMP_SYS(fchown), 241 },
> -    { SCMP_SYS(lchown), 241 },
> -    { SCMP_SYS(fchownat), 241 },
> -    { SCMP_SYS(fstatfs), 241 },
> -    { SCMP_SYS(getitimer), 241 },
> -    { SCMP_SYS(syncfs), 241 },
> -    { SCMP_SYS(fsync), 241 },
> -    { SCMP_SYS(fchdir), 241 },
> -    { SCMP_SYS(msync), 241 },
> -    { SCMP_SYS(sched_setparam), 241 },
> -    { SCMP_SYS(sched_setscheduler), 241 },
> -    { SCMP_SYS(sched_yield), 241 },
> -    { SCMP_SYS(sched_rr_get_interval), 241 },
> -    { SCMP_SYS(sched_setaffinity), 241 },
> -    { SCMP_SYS(sched_getaffinity), 241 },
> -    { SCMP_SYS(readahead), 241 },
> -    { SCMP_SYS(timer_getoverrun), 241 },
> -    { SCMP_SYS(unlinkat), 241 },
> -    { SCMP_SYS(readlinkat), 241 },
> -    { SCMP_SYS(faccessat), 241 },
> -    { SCMP_SYS(get_robust_list), 241 },
> -    { SCMP_SYS(splice), 241 },
> -    { SCMP_SYS(vmsplice), 241 },
> -    { SCMP_SYS(getcpu), 241 },
> -    { SCMP_SYS(sendmmsg), 241 },
> -    { SCMP_SYS(recvmmsg), 241 },
> -    { SCMP_SYS(prlimit64), 241 },
> -    { SCMP_SYS(waitid), 241 },
> -    { SCMP_SYS(io_cancel), 241 },
> -    { SCMP_SYS(io_setup), 241 },
> -    { SCMP_SYS(io_destroy), 241 },
> -    { SCMP_SYS(arch_prctl), 240 },
> -    { SCMP_SYS(mkdir), 240 },
> -    { SCMP_SYS(fchmod), 240 },
> -    { SCMP_SYS(shmget), 240 },
> -    { SCMP_SYS(shmat), 240 },
> -    { SCMP_SYS(shmdt), 240 },
> -    { SCMP_SYS(timerfd_create), 240 },
> -    { SCMP_SYS(shmctl), 240 },
> -    { SCMP_SYS(mlockall), 240 },
> -    { SCMP_SYS(mlock), 240 },
> -    { SCMP_SYS(munlock), 240 },
> -    { SCMP_SYS(semctl), 240 },
> -    { SCMP_SYS(fallocate), 240 },
> -    { SCMP_SYS(fadvise64), 240 },
> -    { SCMP_SYS(inotify_init1), 240 },
> -    { SCMP_SYS(inotify_add_watch), 240 },
> -    { SCMP_SYS(mbind), 240 },
> -    { SCMP_SYS(memfd_create), 240 },
> -#ifdef HAVE_CACHEFLUSH
> -    { SCMP_SYS(cacheflush), 240 },
> -#endif
> -    { SCMP_SYS(sysinfo), 240 },
> +static const struct QemuSeccompSyscall blacklist[] = {
> +    { SCMP_SYS(reboot), 255 },
> +    { SCMP_SYS(swapon), 255 },
> +    { SCMP_SYS(swapoff), 255 },
> +    { SCMP_SYS(syslog), 255 },
> +    { SCMP_SYS(mount), 255 },
> +    { SCMP_SYS(umount), 255 },
> +    { SCMP_SYS(kexec_load), 255 },
> +    { SCMP_SYS(afs_syscall), 255 },
> +    { SCMP_SYS(break), 255 },
> +    { SCMP_SYS(ftime), 255 },
> +    { SCMP_SYS(getpmsg), 255 },
> +    { SCMP_SYS(gtty), 255 },
> +    { SCMP_SYS(lock), 255 },
> +    { SCMP_SYS(mpx), 255 },
> +    { SCMP_SYS(prof), 255 },
> +    { SCMP_SYS(profil), 255 },
> +    { SCMP_SYS(putpmsg), 255 },
> +    { SCMP_SYS(security), 255 },
> +    { SCMP_SYS(stty), 255 },
> +    { SCMP_SYS(tuxcall), 255 },
> +    { SCMP_SYS(ulimit), 255 },
> +    { SCMP_SYS(vserver), 255 },
>  };
>  
>  int seccomp_start(void)
> @@ -262,19 +62,19 @@ int seccomp_start(void)
>      unsigned int i = 0;
>      scmp_filter_ctx ctx;
>  
> -    ctx = seccomp_init(SCMP_ACT_KILL);
> +    ctx = seccomp_init(SCMP_ACT_ALLOW);
>      if (ctx == NULL) {
>          rc = -1;
>          goto seccomp_return;
>      }
>  
> -    for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {
> -        rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);
> +    for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
> +        rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);
>          if (rc < 0) {
>              goto seccomp_return;
>          }
> -        rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,
> -                                      seccomp_whitelist[i].priority);
> +        rc = seccomp_syscall_priority(ctx, blacklist[i].num,
> +                                      blacklist[i].priority);
>          if (rc < 0) {
>              goto seccomp_return;
>          }
> diff --git a/vl.c b/vl.c
> index fb6b2efafa..15b98800e9 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -1030,13 +1030,16 @@ static int bt_parse(const char *opt)
>  
>  static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
>  {
> -    /* FIXME: change this to true for 1.3 */
>      if (qemu_opt_get_bool(opts, "enable", false)) {
>  #ifdef CONFIG_SECCOMP
>          if (seccomp_start() < 0) {
>              error_report("failed to install seccomp syscall filter "
>                           "in the kernel");
>              return -1;
> +        } else {
> +            error_report("warning: -sandbox on has been converted to blacklist "
> +                         "approach. Refer to the manual for new sandbox "
> +                         "options in order to increase security.");

This is just noise that will pollute everyone's logs. This kind of thing can
just be put in the QEMU release notes.

If you remove this, then 

Reviewed-by: Daniel P. Berrange <berrange@redhat.com>


Regards,
Daniel
Thomas Huth Aug. 3, 2017, 4:54 p.m. UTC | #2
On 28.07.2017 14:10, Eduardo Otubo wrote:
> This patch changes the default behavior of the seccomp filter from
> whitelist to blacklist. By default now all system calls are allowed and
> a small black list of definitely forbidden ones was created.
> 
> Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> ---
>  qemu-seccomp.c | 256 +++++++--------------------------------------------------
>  vl.c           |   5 +-
>  2 files changed, 32 insertions(+), 229 deletions(-)
> 
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index df75d9c471..f8877b07b5 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -31,229 +31,29 @@ struct QemuSeccompSyscall {
>      uint8_t priority;
>  };
[...]
> +static const struct QemuSeccompSyscall blacklist[] = {
> +    { SCMP_SYS(reboot), 255 },
> +    { SCMP_SYS(swapon), 255 },
> +    { SCMP_SYS(swapoff), 255 },
> +    { SCMP_SYS(syslog), 255 },
> +    { SCMP_SYS(mount), 255 },
> +    { SCMP_SYS(umount), 255 },
> +    { SCMP_SYS(kexec_load), 255 },
> +    { SCMP_SYS(afs_syscall), 255 },
> +    { SCMP_SYS(break), 255 },
> +    { SCMP_SYS(ftime), 255 },
> +    { SCMP_SYS(getpmsg), 255 },
> +    { SCMP_SYS(gtty), 255 },
> +    { SCMP_SYS(lock), 255 },
> +    { SCMP_SYS(mpx), 255 },
> +    { SCMP_SYS(prof), 255 },
> +    { SCMP_SYS(profil), 255 },
> +    { SCMP_SYS(putpmsg), 255 },
> +    { SCMP_SYS(security), 255 },
> +    { SCMP_SYS(stty), 255 },
> +    { SCMP_SYS(tuxcall), 255 },
> +    { SCMP_SYS(ulimit), 255 },
> +    { SCMP_SYS(vserver), 255 },
>  };

Does it makes sense to still keep the priority field? Everything is now
marked with the value 255 and I currently fail to see the point of
priorities when using blacklisting ... so maybe just get rid of it?

 Thomas
Eduardo Otubo Aug. 11, 2017, 9:51 a.m. UTC | #3
On Thu, Aug 03, 2017 at 06:54:15PM +0200, Thomas Huth wrote:
> On 28.07.2017 14:10, Eduardo Otubo wrote:
> > This patch changes the default behavior of the seccomp filter from
> > whitelist to blacklist. By default now all system calls are allowed and
> > a small black list of definitely forbidden ones was created.
> > 
> > Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> > ---
> >  qemu-seccomp.c | 256 +++++++--------------------------------------------------
> >  vl.c           |   5 +-
> >  2 files changed, 32 insertions(+), 229 deletions(-)
> > 
> > diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> > index df75d9c471..f8877b07b5 100644
> > --- a/qemu-seccomp.c
> > +++ b/qemu-seccomp.c
> > @@ -31,229 +31,29 @@ struct QemuSeccompSyscall {
> >      uint8_t priority;
> >  };
> [...]
> > +static const struct QemuSeccompSyscall blacklist[] = {
> > +    { SCMP_SYS(reboot), 255 },
> > +    { SCMP_SYS(swapon), 255 },
> > +    { SCMP_SYS(swapoff), 255 },
> > +    { SCMP_SYS(syslog), 255 },
> > +    { SCMP_SYS(mount), 255 },
> > +    { SCMP_SYS(umount), 255 },
> > +    { SCMP_SYS(kexec_load), 255 },
> > +    { SCMP_SYS(afs_syscall), 255 },
> > +    { SCMP_SYS(break), 255 },
> > +    { SCMP_SYS(ftime), 255 },
> > +    { SCMP_SYS(getpmsg), 255 },
> > +    { SCMP_SYS(gtty), 255 },
> > +    { SCMP_SYS(lock), 255 },
> > +    { SCMP_SYS(mpx), 255 },
> > +    { SCMP_SYS(prof), 255 },
> > +    { SCMP_SYS(profil), 255 },
> > +    { SCMP_SYS(putpmsg), 255 },
> > +    { SCMP_SYS(security), 255 },
> > +    { SCMP_SYS(stty), 255 },
> > +    { SCMP_SYS(tuxcall), 255 },
> > +    { SCMP_SYS(ulimit), 255 },
> > +    { SCMP_SYS(vserver), 255 },
> >  };
> 
> Does it makes sense to still keep the priority field? Everything is now
> marked with the value 255 and I currently fail to see the point of
> priorities when using blacklisting ... so maybe just get rid of it?

I think that's a fair point here. Don't see much of a point on such a
small number of syscalls. I just need to double check the libseccomp
docs if I can build the list without any priority information, but I'm
pretty sure I've seen this before.
Daniel P. Berrangé Aug. 11, 2017, 10:10 a.m. UTC | #4
On Fri, Aug 11, 2017 at 11:51:12AM +0200, Eduardo Otubo wrote:
> On Thu, Aug 03, 2017 at 06:54:15PM +0200, Thomas Huth wrote:
> > On 28.07.2017 14:10, Eduardo Otubo wrote:
> > > This patch changes the default behavior of the seccomp filter from
> > > whitelist to blacklist. By default now all system calls are allowed and
> > > a small black list of definitely forbidden ones was created.
> > > 
> > > Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> > > ---
> > >  qemu-seccomp.c | 256 +++++++--------------------------------------------------
> > >  vl.c           |   5 +-
> > >  2 files changed, 32 insertions(+), 229 deletions(-)
> > > 
> > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> > > index df75d9c471..f8877b07b5 100644
> > > --- a/qemu-seccomp.c
> > > +++ b/qemu-seccomp.c
> > > @@ -31,229 +31,29 @@ struct QemuSeccompSyscall {
> > >      uint8_t priority;
> > >  };
> > [...]
> > > +static const struct QemuSeccompSyscall blacklist[] = {
> > > +    { SCMP_SYS(reboot), 255 },
> > > +    { SCMP_SYS(swapon), 255 },
> > > +    { SCMP_SYS(swapoff), 255 },
> > > +    { SCMP_SYS(syslog), 255 },
> > > +    { SCMP_SYS(mount), 255 },
> > > +    { SCMP_SYS(umount), 255 },
> > > +    { SCMP_SYS(kexec_load), 255 },
> > > +    { SCMP_SYS(afs_syscall), 255 },
> > > +    { SCMP_SYS(break), 255 },
> > > +    { SCMP_SYS(ftime), 255 },
> > > +    { SCMP_SYS(getpmsg), 255 },
> > > +    { SCMP_SYS(gtty), 255 },
> > > +    { SCMP_SYS(lock), 255 },
> > > +    { SCMP_SYS(mpx), 255 },
> > > +    { SCMP_SYS(prof), 255 },
> > > +    { SCMP_SYS(profil), 255 },
> > > +    { SCMP_SYS(putpmsg), 255 },
> > > +    { SCMP_SYS(security), 255 },
> > > +    { SCMP_SYS(stty), 255 },
> > > +    { SCMP_SYS(tuxcall), 255 },
> > > +    { SCMP_SYS(ulimit), 255 },
> > > +    { SCMP_SYS(vserver), 255 },
> > >  };
> > 
> > Does it makes sense to still keep the priority field? Everything is now
> > marked with the value 255 and I currently fail to see the point of
> > priorities when using blacklisting ... so maybe just get rid of it?
> 
> I think that's a fair point here. Don't see much of a point on such a
> small number of syscalls. I just need to double check the libseccomp
> docs if I can build the list without any priority information, but I'm
> pretty sure I've seen this before.

Just always pass 255 to libseccomp apis directly. Its merely redundant
to store the value 255 in this QEMU  specific struct.

Regards,
Daniel

Patch
diff mbox

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index df75d9c471..f8877b07b5 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -31,229 +31,29 @@  struct QemuSeccompSyscall {
     uint8_t priority;
 };
 
-static const struct QemuSeccompSyscall seccomp_whitelist[] = {
-    { SCMP_SYS(timer_settime), 255 },
-    { SCMP_SYS(timer_gettime), 254 },
-    { SCMP_SYS(futex), 253 },
-    { SCMP_SYS(select), 252 },
-    { SCMP_SYS(recvfrom), 251 },
-    { SCMP_SYS(sendto), 250 },
-    { SCMP_SYS(socketcall), 250 },
-    { SCMP_SYS(read), 249 },
-    { SCMP_SYS(io_submit), 249 },
-    { SCMP_SYS(brk), 248 },
-    { SCMP_SYS(clone), 247 },
-    { SCMP_SYS(mmap), 247 },
-    { SCMP_SYS(mprotect), 246 },
-    { SCMP_SYS(execve), 245 },
-    { SCMP_SYS(open), 245 },
-    { SCMP_SYS(ioctl), 245 },
-    { SCMP_SYS(socket), 245 },
-    { SCMP_SYS(setsockopt), 245 },
-    { SCMP_SYS(recvmsg), 245 },
-    { SCMP_SYS(sendmsg), 245 },
-    { SCMP_SYS(accept), 245 },
-    { SCMP_SYS(connect), 245 },
-    { SCMP_SYS(socketpair), 245 },
-    { SCMP_SYS(bind), 245 },
-    { SCMP_SYS(listen), 245 },
-    { SCMP_SYS(semget), 245 },
-    { SCMP_SYS(ipc), 245 },
-    { SCMP_SYS(gettimeofday), 245 },
-    { SCMP_SYS(readlink), 245 },
-    { SCMP_SYS(access), 245 },
-    { SCMP_SYS(prctl), 245 },
-    { SCMP_SYS(signalfd), 245 },
-    { SCMP_SYS(getrlimit), 245 },
-    { SCMP_SYS(getrusage), 245 },
-    { SCMP_SYS(set_tid_address), 245 },
-    { SCMP_SYS(statfs), 245 },
-    { SCMP_SYS(unlink), 245 },
-    { SCMP_SYS(wait4), 245 },
-    { SCMP_SYS(fcntl64), 245 },
-    { SCMP_SYS(fstat64), 245 },
-    { SCMP_SYS(stat64), 245 },
-    { SCMP_SYS(getgid32), 245 },
-    { SCMP_SYS(getegid32), 245 },
-    { SCMP_SYS(getuid32), 245 },
-    { SCMP_SYS(geteuid32), 245 },
-    { SCMP_SYS(sigreturn), 245 },
-    { SCMP_SYS(_newselect), 245 },
-    { SCMP_SYS(_llseek), 245 },
-    { SCMP_SYS(mmap2), 245 },
-    { SCMP_SYS(sigprocmask), 245 },
-    { SCMP_SYS(sched_getparam), 245 },
-    { SCMP_SYS(sched_getscheduler), 245 },
-    { SCMP_SYS(fstat), 245 },
-    { SCMP_SYS(clock_getres), 245 },
-    { SCMP_SYS(sched_get_priority_min), 245 },
-    { SCMP_SYS(sched_get_priority_max), 245 },
-    { SCMP_SYS(stat), 245 },
-    { SCMP_SYS(uname), 245 },
-    { SCMP_SYS(eventfd2), 245 },
-    { SCMP_SYS(io_getevents), 245 },
-    { SCMP_SYS(dup), 245 },
-    { SCMP_SYS(dup2), 245 },
-    { SCMP_SYS(dup3), 245 },
-    { SCMP_SYS(gettid), 245 },
-    { SCMP_SYS(getgid), 245 },
-    { SCMP_SYS(getegid), 245 },
-    { SCMP_SYS(getuid), 245 },
-    { SCMP_SYS(geteuid), 245 },
-    { SCMP_SYS(timer_create), 245 },
-    { SCMP_SYS(times), 245 },
-    { SCMP_SYS(exit), 245 },
-    { SCMP_SYS(clock_gettime), 245 },
-    { SCMP_SYS(time), 245 },
-    { SCMP_SYS(restart_syscall), 245 },
-    { SCMP_SYS(pwrite64), 245 },
-    { SCMP_SYS(nanosleep), 245 },
-    { SCMP_SYS(chown), 245 },
-    { SCMP_SYS(openat), 245 },
-    { SCMP_SYS(getdents), 245 },
-    { SCMP_SYS(timer_delete), 245 },
-    { SCMP_SYS(exit_group), 245 },
-    { SCMP_SYS(rt_sigreturn), 245 },
-    { SCMP_SYS(sync), 245 },
-    { SCMP_SYS(pread64), 245 },
-    { SCMP_SYS(madvise), 245 },
-    { SCMP_SYS(set_robust_list), 245 },
-    { SCMP_SYS(lseek), 245 },
-    { SCMP_SYS(pselect6), 245 },
-    { SCMP_SYS(fork), 245 },
-    { SCMP_SYS(rt_sigprocmask), 245 },
-    { SCMP_SYS(write), 244 },
-    { SCMP_SYS(fcntl), 243 },
-    { SCMP_SYS(tgkill), 242 },
-    { SCMP_SYS(kill), 242 },
-    { SCMP_SYS(rt_sigaction), 242 },
-    { SCMP_SYS(pipe2), 242 },
-    { SCMP_SYS(munmap), 242 },
-    { SCMP_SYS(mremap), 242 },
-    { SCMP_SYS(fdatasync), 242 },
-    { SCMP_SYS(close), 242 },
-    { SCMP_SYS(rt_sigpending), 242 },
-    { SCMP_SYS(rt_sigtimedwait), 242 },
-    { SCMP_SYS(readv), 242 },
-    { SCMP_SYS(writev), 242 },
-    { SCMP_SYS(preadv), 242 },
-    { SCMP_SYS(pwritev), 242 },
-    { SCMP_SYS(setrlimit), 242 },
-    { SCMP_SYS(ftruncate), 242 },
-    { SCMP_SYS(lstat), 242 },
-    { SCMP_SYS(pipe), 242 },
-    { SCMP_SYS(umask), 242 },
-    { SCMP_SYS(chdir), 242 },
-    { SCMP_SYS(setitimer), 242 },
-    { SCMP_SYS(setsid), 242 },
-    { SCMP_SYS(poll), 242 },
-    { SCMP_SYS(epoll_create), 242 },
-    { SCMP_SYS(epoll_ctl), 242 },
-    { SCMP_SYS(epoll_wait), 242 },
-    { SCMP_SYS(waitpid), 242 },
-    { SCMP_SYS(getsockname), 242 },
-    { SCMP_SYS(getpeername), 242 },
-    { SCMP_SYS(accept4), 242 },
-    { SCMP_SYS(timerfd_settime), 242 },
-    { SCMP_SYS(newfstatat), 241 },
-    { SCMP_SYS(shutdown), 241 },
-    { SCMP_SYS(getsockopt), 241 },
-    { SCMP_SYS(semop), 241 },
-    { SCMP_SYS(semtimedop), 241 },
-    { SCMP_SYS(epoll_ctl_old), 241 },
-    { SCMP_SYS(epoll_wait_old), 241 },
-    { SCMP_SYS(epoll_pwait), 241 },
-    { SCMP_SYS(epoll_create1), 241 },
-    { SCMP_SYS(ppoll), 241 },
-    { SCMP_SYS(creat), 241 },
-    { SCMP_SYS(link), 241 },
-    { SCMP_SYS(getpid), 241 },
-    { SCMP_SYS(getppid), 241 },
-    { SCMP_SYS(getpgrp), 241 },
-    { SCMP_SYS(getpgid), 241 },
-    { SCMP_SYS(getsid), 241 },
-    { SCMP_SYS(getdents64), 241 },
-    { SCMP_SYS(getresuid), 241 },
-    { SCMP_SYS(getresgid), 241 },
-    { SCMP_SYS(getgroups), 241 },
-    { SCMP_SYS(getresuid32), 241 },
-    { SCMP_SYS(getresgid32), 241 },
-    { SCMP_SYS(getgroups32), 241 },
-    { SCMP_SYS(signal), 241 },
-    { SCMP_SYS(sigaction), 241 },
-    { SCMP_SYS(sigsuspend), 241 },
-    { SCMP_SYS(sigpending), 241 },
-    { SCMP_SYS(truncate64), 241 },
-    { SCMP_SYS(ftruncate64), 241 },
-    { SCMP_SYS(fchown32), 241 },
-    { SCMP_SYS(chown32), 241 },
-    { SCMP_SYS(lchown32), 241 },
-    { SCMP_SYS(statfs64), 241 },
-    { SCMP_SYS(fstatfs64), 241 },
-    { SCMP_SYS(fstatat64), 241 },
-    { SCMP_SYS(lstat64), 241 },
-    { SCMP_SYS(sendfile64), 241 },
-    { SCMP_SYS(ugetrlimit), 241 },
-    { SCMP_SYS(alarm), 241 },
-    { SCMP_SYS(rt_sigsuspend), 241 },
-    { SCMP_SYS(rt_sigqueueinfo), 241 },
-    { SCMP_SYS(rt_tgsigqueueinfo), 241 },
-    { SCMP_SYS(sigaltstack), 241 },
-    { SCMP_SYS(signalfd4), 241 },
-    { SCMP_SYS(truncate), 241 },
-    { SCMP_SYS(fchown), 241 },
-    { SCMP_SYS(lchown), 241 },
-    { SCMP_SYS(fchownat), 241 },
-    { SCMP_SYS(fstatfs), 241 },
-    { SCMP_SYS(getitimer), 241 },
-    { SCMP_SYS(syncfs), 241 },
-    { SCMP_SYS(fsync), 241 },
-    { SCMP_SYS(fchdir), 241 },
-    { SCMP_SYS(msync), 241 },
-    { SCMP_SYS(sched_setparam), 241 },
-    { SCMP_SYS(sched_setscheduler), 241 },
-    { SCMP_SYS(sched_yield), 241 },
-    { SCMP_SYS(sched_rr_get_interval), 241 },
-    { SCMP_SYS(sched_setaffinity), 241 },
-    { SCMP_SYS(sched_getaffinity), 241 },
-    { SCMP_SYS(readahead), 241 },
-    { SCMP_SYS(timer_getoverrun), 241 },
-    { SCMP_SYS(unlinkat), 241 },
-    { SCMP_SYS(readlinkat), 241 },
-    { SCMP_SYS(faccessat), 241 },
-    { SCMP_SYS(get_robust_list), 241 },
-    { SCMP_SYS(splice), 241 },
-    { SCMP_SYS(vmsplice), 241 },
-    { SCMP_SYS(getcpu), 241 },
-    { SCMP_SYS(sendmmsg), 241 },
-    { SCMP_SYS(recvmmsg), 241 },
-    { SCMP_SYS(prlimit64), 241 },
-    { SCMP_SYS(waitid), 241 },
-    { SCMP_SYS(io_cancel), 241 },
-    { SCMP_SYS(io_setup), 241 },
-    { SCMP_SYS(io_destroy), 241 },
-    { SCMP_SYS(arch_prctl), 240 },
-    { SCMP_SYS(mkdir), 240 },
-    { SCMP_SYS(fchmod), 240 },
-    { SCMP_SYS(shmget), 240 },
-    { SCMP_SYS(shmat), 240 },
-    { SCMP_SYS(shmdt), 240 },
-    { SCMP_SYS(timerfd_create), 240 },
-    { SCMP_SYS(shmctl), 240 },
-    { SCMP_SYS(mlockall), 240 },
-    { SCMP_SYS(mlock), 240 },
-    { SCMP_SYS(munlock), 240 },
-    { SCMP_SYS(semctl), 240 },
-    { SCMP_SYS(fallocate), 240 },
-    { SCMP_SYS(fadvise64), 240 },
-    { SCMP_SYS(inotify_init1), 240 },
-    { SCMP_SYS(inotify_add_watch), 240 },
-    { SCMP_SYS(mbind), 240 },
-    { SCMP_SYS(memfd_create), 240 },
-#ifdef HAVE_CACHEFLUSH
-    { SCMP_SYS(cacheflush), 240 },
-#endif
-    { SCMP_SYS(sysinfo), 240 },
+static const struct QemuSeccompSyscall blacklist[] = {
+    { SCMP_SYS(reboot), 255 },
+    { SCMP_SYS(swapon), 255 },
+    { SCMP_SYS(swapoff), 255 },
+    { SCMP_SYS(syslog), 255 },
+    { SCMP_SYS(mount), 255 },
+    { SCMP_SYS(umount), 255 },
+    { SCMP_SYS(kexec_load), 255 },
+    { SCMP_SYS(afs_syscall), 255 },
+    { SCMP_SYS(break), 255 },
+    { SCMP_SYS(ftime), 255 },
+    { SCMP_SYS(getpmsg), 255 },
+    { SCMP_SYS(gtty), 255 },
+    { SCMP_SYS(lock), 255 },
+    { SCMP_SYS(mpx), 255 },
+    { SCMP_SYS(prof), 255 },
+    { SCMP_SYS(profil), 255 },
+    { SCMP_SYS(putpmsg), 255 },
+    { SCMP_SYS(security), 255 },
+    { SCMP_SYS(stty), 255 },
+    { SCMP_SYS(tuxcall), 255 },
+    { SCMP_SYS(ulimit), 255 },
+    { SCMP_SYS(vserver), 255 },
 };
 
 int seccomp_start(void)
@@ -262,19 +62,19 @@  int seccomp_start(void)
     unsigned int i = 0;
     scmp_filter_ctx ctx;
 
-    ctx = seccomp_init(SCMP_ACT_KILL);
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
     if (ctx == NULL) {
         rc = -1;
         goto seccomp_return;
     }
 
-    for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {
-        rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);
+    for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
+        rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);
         if (rc < 0) {
             goto seccomp_return;
         }
-        rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,
-                                      seccomp_whitelist[i].priority);
+        rc = seccomp_syscall_priority(ctx, blacklist[i].num,
+                                      blacklist[i].priority);
         if (rc < 0) {
             goto seccomp_return;
         }
diff --git a/vl.c b/vl.c
index fb6b2efafa..15b98800e9 100644
--- a/vl.c
+++ b/vl.c
@@ -1030,13 +1030,16 @@  static int bt_parse(const char *opt)
 
 static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
 {
-    /* FIXME: change this to true for 1.3 */
     if (qemu_opt_get_bool(opts, "enable", false)) {
 #ifdef CONFIG_SECCOMP
         if (seccomp_start() < 0) {
             error_report("failed to install seccomp syscall filter "
                          "in the kernel");
             return -1;
+        } else {
+            error_report("warning: -sandbox on has been converted to blacklist "
+                         "approach. Refer to the manual for new sandbox "
+                         "options in order to increase security.");
         }
 #else
         error_report("seccomp support is disabled");