[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing

To: George Dunlap <george.dunlap@xxxxxxxxxx>
From: Ian Jackson <ian.jackson@xxxxxxxxxx>
Date: Tue, 25 Sep 2018 11:46:13 +0100
Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>
Delivery-date: Tue, 25 Sep 2018 10:46:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

George Dunlap writes ("Re: [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU 
sandboxing"):
> On 09/24/2018 02:04 PM, Ian Jackson wrote:
> > What about capabilities not known to the qemu source code ?
> 
> Hrm -- it looks like the sandboxing stuff is based on a blacklist,
> rather than a whitelist.  Which may be inevitable, given that seccomp2
> operates on system calls but qemu makes library calls (and thus doesn't
> actually know which system calls are need and which are not -- see [1]).
>  But it does rather undermine the usefulness of this as a security
> feature -- there are literally hundreds of system calls available on
> Linux, of which only 50 or so are listed here.

How annoying.

> Luckily `-sandbox` was just one of the "sure why not" layers of extra
> security, not something we rely on.

Right.

> We could add a test to our testing script to parse `-help` output for
> unknown-to-libxl options and throw an error, so that they get added in,
> if we want.

That sounds like a good idea.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap
- [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
  - From: George Dunlap
- Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
  - From: George Dunlap
- Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
  - From: George Dunlap

Prev by Date: Re: [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
Next by Date: Re: [Xen-devel] [PATCH v2 4/6] tools/dm_restrict: Unshare mount and IPC namespaces on Linux
Previous by thread: Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
Next by thread: Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.