[PATCHv4,6/6] seccomp: adding documentation to new seccomp model
diff mbox

Message ID 20170901105818.31956-7-otubo@redhat.com
State New
Headers show

Commit Message

Eduardo Otubo Sept. 1, 2017, 10:58 a.m. UTC
Adding new documentation under docs/ to describe every one and each new
option added by the refactoring patchset.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
---
 docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 docs/seccomp.txt

Comments

Daniel P. Berrangé Sept. 1, 2017, 11:03 a.m. UTC | #1
On Fri, Sep 01, 2017 at 12:58:18PM +0200, Eduardo Otubo wrote:
> Adding new documentation under docs/ to describe every one and each new
> option added by the refactoring patchset.
> 
> Signed-off-by: Eduardo Otubo <otubo@redhat.com>
> ---
>  docs/seccomp.txt | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>  create mode 100644 docs/seccomp.txt
> 
> diff --git a/docs/seccomp.txt b/docs/seccomp.txt
> new file mode 100644
> index 0000000000..a5eca85a9b
> --- /dev/null
> +++ b/docs/seccomp.txt
> @@ -0,0 +1,31 @@
> +QEMU Seccomp system call filter
> +===============================
> +
> +Starting from QEMU version 2.11, the seccomp filter does not work as a
> +whitelist but as a blacklist instead. This method allows safer deploys since
> +only the strictly forbidden system calls will be black-listed and the
> +possibility of breaking any workload is close to zero.
> +
> +The default option (-sandbox on) has a slightly looser security though and the
> +reason is that it shouldn't break any backwards compatibility with previous
> +deploys and command lines already running. But if the intent is to have a
> +better security from this version on, one should make use of the following
> +additional options properly:
> +
> +* obsolete=allow|deny: It allows Qemu to run safely on old system that still
> +  relies on old system calls.
> +
> +* elevateprivileges=allow|deny|children: It allows or denies Qemu process
> +  to elevate its privileges by blacklisting all set*uid|gid system calls. The
> +  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
> +  (forks and execs) to run unprivileged.
> +
> +* spawn=allow|deny: It blacklists fork and execve system calls, avoiding QEMU to
> +  spawn new threads or processes.
> +
> +* resourcecontrol=allow|deny: It blacklists all process affinity and scheduler
> +  priority system calls to avoid that the process can increase its amount of
> +  allowed resource consumption.
> +

This ought to be part of qemu-options.hx so it makes it into the qemu
docs & man page.

Regards,
Daniel

Patch
diff mbox

diff --git a/docs/seccomp.txt b/docs/seccomp.txt
new file mode 100644
index 0000000000..a5eca85a9b
--- /dev/null
+++ b/docs/seccomp.txt
@@ -0,0 +1,31 @@ 
+QEMU Seccomp system call filter
+===============================
+
+Starting from QEMU version 2.11, the seccomp filter does not work as a
+whitelist but as a blacklist instead. This method allows safer deploys since
+only the strictly forbidden system calls will be black-listed and the
+possibility of breaking any workload is close to zero.
+
+The default option (-sandbox on) has a slightly looser security though and the
+reason is that it shouldn't break any backwards compatibility with previous
+deploys and command lines already running. But if the intent is to have a
+better security from this version on, one should make use of the following
+additional options properly:
+
+* obsolete=allow|deny: It allows Qemu to run safely on old system that still
+  relies on old system calls.
+
+* elevateprivileges=allow|deny|children: It allows or denies Qemu process
+  to elevate its privileges by blacklisting all set*uid|gid system calls. The
+  'children' option sets the PR_SET_NO_NEW_PRIVS to 1 which allows helpers
+  (forks and execs) to run unprivileged.
+
+* spawn=allow|deny: It blacklists fork and execve system calls, avoiding QEMU to
+  spawn new threads or processes.
+
+* resourcecontrol=allow|deny: It blacklists all process affinity and scheduler
+  priority system calls to avoid that the process can increase its amount of
+  allowed resource consumption.
+
+--
+Eduardo Otubo <otubo@redhat.com>