[libvirt] [PATCH v0] qemu: Add sandbox support.
Corey Bryant
coreyb at linux.vnet.ibm.com
Thu Sep 6 15:56:05 UTC 2012
On 09/06/2012 02:27 AM, Daniel Veillard wrote:
> On Mon, Sep 03, 2012 at 02:03:39PM +0200, Ján Tomko wrote:
>> QEMU (since 1.2-rc0) supports setting up a syscall whitelist through
>> libseccomp on linux kernel from 3.5-rc1. This is enabled by specifying
>> -sandbox on on qemu command line.
>>
>> This patch detects this capability by searching for -sandbox in qemu
>> help output and runs qemu with -sandbox on if sandbox is set to non-zero
>> in qemu.conf.
>>
>> ---
>> Should this option be in qemu.conf, or would it be better to set it
>> per-domain in the XML?
>> ---
>> src/qemu/qemu.conf | 6 ++++++
>> src/qemu/qemu_capabilities.c | 3 +++
>> src/qemu/qemu_capabilities.h | 1 +
>> src/qemu/qemu_command.c | 3 +++
>> src/qemu/qemu_conf.c | 5 +++++
>> src/qemu/qemu_conf.h | 1 +
>> 6 files changed, 19 insertions(+), 0 deletions(-)
>>
>> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>> index d3175fa..47e510e 100644
>> --- a/src/qemu/qemu.conf
>> +++ b/src/qemu/qemu.conf
>> @@ -375,3 +375,9 @@
>> #
>> #keepalive_interval = 5
>> #keepalive_count = 5
>> +
>> +
>> +
>> +# Enable this to use seccomp syscall whitelisting in QEMU.
>> +#
>> +#sandbox = 1
>> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
>> index 2ba7956..b0728e8 100644
>> --- a/src/qemu/qemu_capabilities.c
>> +++ b/src/qemu/qemu_capabilities.c
>> @@ -176,6 +176,7 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
>> "disable-s3",
>>
>> "disable-s4", /* 105 */
>> + "sandbox"
>> );
>>
>> struct qemu_feature_flags {
>> @@ -1139,6 +1140,8 @@ qemuCapsComputeCmdFlags(const char *help,
>> }
>> if (strstr(help, "-smbios type"))
>> qemuCapsSet(flags, QEMU_CAPS_SMBIOS_TYPE);
>> + if (strstr(help, "-sandbox"))
>> + qemuCapsSet(flags, QEMU_CAPS_SANDBOX);
>>
>> if ((netdev = strstr(help, "-netdev"))) {
>> /* Disable -netdev on 0.12 since although it exists,
>> diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
>> index a7b3a06..0066901 100644
>> --- a/src/qemu/qemu_capabilities.h
>> +++ b/src/qemu/qemu_capabilities.h
>> @@ -141,6 +141,7 @@ enum qemuCapsFlags {
>> QEMU_CAPS_IOLIMITS = 103, /* -device ...logical_block_size & co */
>> QEMU_CAPS_DISABLE_S3 = 104, /* S3 BIOS Advertisement on/off */
>> QEMU_CAPS_DISABLE_S4 = 105, /* S4 BIOS Advertisement on/off */
>> + QEMU_CAPS_SANDBOX = 106, /* -sandbox */
>>
>> QEMU_CAPS_LAST, /* this must always be the last item */
>> };
>> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
>> index e739f34..737d4d9 100644
>> --- a/src/qemu/qemu_command.c
>> +++ b/src/qemu/qemu_command.c
>> @@ -6462,6 +6462,9 @@ qemuBuildCommandLine(virConnectPtr conn,
>> ? qemucmd->env_value[i] : "");
>> }
>>
>> + if (driver->sandbox && qemuCapsGet(qemuCaps, QEMU_CAPS_SANDBOX))
>> + virCommandAddArgList(cmd, "-sandbox", "on", NULL);
>> +
>> return cmd;
>>
>> no_memory:
>> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
>> index e9e15c5..a367fcd 100644
>> --- a/src/qemu/qemu_conf.c
>> +++ b/src/qemu/qemu_conf.c
>> @@ -129,6 +129,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
>>
>> driver->keepAliveInterval = 5;
>> driver->keepAliveCount = 5;
>> + driver->sandbox = false;
>>
>> /* Just check the file is readable before opening it, otherwise
>> * libvirt emits an error.
>> @@ -570,6 +571,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
>> CHECK_TYPE("keepalive_count", VIR_CONF_LONG);
>> if (p) driver->keepAliveCount = p->l;
>>
>> + p = virConfGetValue(conf, "sandbox");
>> + CHECK_TYPE("sandbox", VIR_CONF_LONG);
>> + if (p) driver->sandbox = p->l;
>> +
>> virConfFree (conf);
>> return 0;
>> }
>> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
>> index ac285f6..f1b6465 100644
>> --- a/src/qemu/qemu_conf.h
>> +++ b/src/qemu/qemu_conf.h
>> @@ -152,6 +152,7 @@ struct qemud_driver {
>>
>> int keepAliveInterval;
>> unsigned int keepAliveCount;
>> + bool sandbox;
>> };
>>
>> typedef struct _qemuDomainCmdlineDef qemuDomainCmdlineDef;
>
> As-is the patch looks fine to me, now the real question as you pointed
> out is do we want to enforce that at the guest level.
> In general, if available sandboxing should be turned on unless we hit
> a bug, so if it work as expected, it should always be on, which to me
> would be an indication to have that as a global default for the driver
> (and on by default).
> If you have to rely on the user explicit setting to activate it, it
> won't be activated, if security implementations are good enough they
> are better off as default settings IMHO,
I agree, it should be on by default and turned off only if there's a
problem with the syscall whitelist. However, note what I said in my
previous email that we don't plan to default to on until QEMU 1.3.
--
Regards,
Corey
>
> So ACK to this, except I would change src/qemu/qemu.conf patch to
> enable it by default, i.e. remove the leading # ... then testing will
> tell us if we can keep it on.
>
> Daniel
>
More information about the libvir-list
mailing list