[v3,6/6] seccomp: adding documentation to new seccomp model
diff mbox

Message ID 20170728121040.631-7-otubo@redhat.com
State New
Headers show

Commit Message

Eduardo Otubo July 28, 2017, 12:10 p.m. UTC
Adding new documention under docs/ to describe every one and each new
option added by the seccomp refactoring patchset.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
---
 docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 docs/seccomp.txt

Comments

Daniel P. Berrangé Aug. 2, 2017, 12:39 p.m. UTC | #1
On Fri, Jul 28, 2017 at 02:10:40PM +0200, Eduardo Otubo wrote:
> Adding new documention under docs/ to describe every one and each new
> option added by the seccomp refactoring patchset.
> 
> Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> ---
>  docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>  create mode 100644 docs/seccomp.txt
> 
> diff --git a/docs/seccomp.txt b/docs/seccomp.txt
> new file mode 100644
> index 0000000000..4b7edba312
> --- /dev/null
> +++ b/docs/seccomp.txt
> @@ -0,0 +1,31 @@
> +QEMU Seccomp system call filter
> +===============================
> +
> +Starting from Qemu version 2.10, the seccomp filter does not work as a
> +whitelist but as a blacklist instead. This method allows safer deploys since
> +only the strictly forbidden system calls will be black-listed and the
> +possibility of breaking any workload is close to zero.
> +
> +The default option (-sandbox on) has a slightly looser security though and the
> +reason is that it shouldn't break any backwards compatibility with previous
> +deploys and command lines already running. But if the intent is to have a
> +better security from this version on, one should make use of the following
> +additional options properly:
> +
> +* [,obsolete=allow]: It allows Qemu to run safely on old system that still
> +  relies on old system calls.

We should support 'allow' and 'deny' for all of the options. THis allows
the callers to be explicit about the state, if they don't wish to rely on
the QEMU defaults

> +
> +* [,elevateprivileges=deny|allow|children]: It allows or denies Qemu process
> +  to elevate its privileges by blacklisting all set*uid|gid system calls. The
> +  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
> +  (forls and execs) to run unprivileged.
> +
> +* [,spawn=deny]: It blacklists fork and execve syste calls, avoiding Qemu to
> +  spawn new threads or processes.
> +
> +* [,resourcecontrol=deny]: It blacklists all process affinity and scheduler
> +  priority system calls to avoid any bigger of the process.

Regards,
Daniel
Thomas Huth Aug. 3, 2017, 5:14 p.m. UTC | #2
On 28.07.2017 14:10, Eduardo Otubo wrote:
> Adding new documention under docs/ to describe every one and each new

s/documention/documentation/

> option added by the seccomp refactoring patchset.
> 
> Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> ---
>  docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>  create mode 100644 docs/seccomp.txt
> 
> diff --git a/docs/seccomp.txt b/docs/seccomp.txt
> new file mode 100644
> index 0000000000..4b7edba312
> --- /dev/null
> +++ b/docs/seccomp.txt
> @@ -0,0 +1,31 @@
> +QEMU Seccomp system call filter
> +===============================
> +
> +Starting from Qemu version 2.10, the seccomp filter does not work as a

s/Qemu/QEMU/

s/2.10/2.11/

> +whitelist but as a blacklist instead. This method allows safer deploys since
> +only the strictly forbidden system calls will be black-listed and the
> +possibility of breaking any workload is close to zero.
> +
> +The default option (-sandbox on) has a slightly looser security though and the
> +reason is that it shouldn't break any backwards compatibility with previous
> +deploys and command lines already running. But if the intent is to have a
> +better security from this version on, one should make use of the following
> +additional options properly:
> +
> +* [,obsolete=allow]: It allows Qemu to run safely on old system that still
> +  relies on old system calls.
> +
> +* [,elevateprivileges=deny|allow|children]: It allows or denies Qemu process
> +  to elevate its privileges by blacklisting all set*uid|gid system calls. The
> +  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
> +  (forls and execs) to run unprivileged.

s/forls/forks/

> +* [,spawn=deny]: It blacklists fork and execve syste calls, avoiding Qemu to
> +  spawn new threads or processes.
> +
> +* [,resourcecontrol=deny]: It blacklists all process affinity and scheduler
> +  priority system calls to avoid any bigger of the process.

"to avoid any bigger" sounds strange to me. Maybe rather something like:
"to avoid that the process can increase its amount of allowed resource
consumption" or something similar?

 Thomas

Patch
diff mbox

diff --git a/docs/seccomp.txt b/docs/seccomp.txt
new file mode 100644
index 0000000000..4b7edba312
--- /dev/null
+++ b/docs/seccomp.txt
@@ -0,0 +1,31 @@ 
+QEMU Seccomp system call filter
+===============================
+
+Starting from Qemu version 2.10, the seccomp filter does not work as a
+whitelist but as a blacklist instead. This method allows safer deploys since
+only the strictly forbidden system calls will be black-listed and the
+possibility of breaking any workload is close to zero.
+
+The default option (-sandbox on) has a slightly looser security though and the
+reason is that it shouldn't break any backwards compatibility with previous
+deploys and command lines already running. But if the intent is to have a
+better security from this version on, one should make use of the following
+additional options properly:
+
+* [,obsolete=allow]: It allows Qemu to run safely on old system that still
+  relies on old system calls.
+
+* [,elevateprivileges=deny|allow|children]: It allows or denies Qemu process
+  to elevate its privileges by blacklisting all set*uid|gid system calls. The
+  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
+  (forls and execs) to run unprivileged.
+
+* [,spawn=deny]: It blacklists fork and execve syste calls, avoiding Qemu to
+  spawn new threads or processes.
+
+* [,resourcecontrol=deny]: It blacklists all process affinity and scheduler
+  priority system calls to avoid any bigger of the process.
+
+
+--
+Eduardo Otubo <otubo@redhat.com>