yannick.naumann/RT-Task-Generator-QEMU
1
0
Fork 0
forked from alwin.berger/FRET-qemu
Code Pull Requests Activity

seccomp: block setns, unshare and execveat syscalls

Browse Source 
setns/unshare are used to change namespaces which is not something QEMU
needs to be able todo.

execveat is a new variant of execve so should be blocked just like
execve already is.

Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2021-04-29 11:25:13 +01:00
parent c542b30270
commit 4638057110
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
softmmu/qemu-seccomp.c
View File

@ -248,6 +248,11 @@ static const struct QemuSeccompSyscall denylist[] = {
{ SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN, { SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN,
0, NULL, SCMP_ACT_ERRNO(ENOSYS) }, 0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
#endif #endif
#ifdef __SNR_execveat
{ SCMP_SYS(execveat), QEMU_SECCOMP_SET_SPAWN },
#endif
{ SCMP_SYS(setns), QEMU_SECCOMP_SET_SPAWN },
{ SCMP_SYS(unshare), QEMU_SECCOMP_SET_SPAWN },
/* resource control */ /* resource control */
{ SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL, { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL,
0, NULL, SCMP_ACT_ERRNO(EPERM) }, 0, NULL, SCMP_ACT_ERRNO(EPERM) },