call for testing -- qemu / libvirt sandboxing on 18.04 LTS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

call for testing -- qemu / libvirt sandboxing on 18.04 LTS

Seth Arnold
Hello,

Jann Horn has discovered that qemu's seccomp blacklist is not properly
applied to all threads. This means the security hardening is nearly
useless.

We'd like to fix this issue so the users who opt-in to the seccomp
filtering will get the benefits they expect. However, this change feels
like it brings more than the usual amount of regression risk, so we'd like
to call for tests from the wider community.

If you're in a position to try an updated qemu package on 18.04 LTS,
we'd like to hear your results.

The bug report to coordinate the effort:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551
The package repository:
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3395

You may need to set seccomp_sandbox = 1 in your /etc/libvirt/qemu.conf
and restart the libvirt service and any running VMs.

Some errors may be difficult to spot. Some kernels will report seccomp
denials to dmesg or auditd and some kernels will not report anything.

Thanks

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: call for testing -- qemu / libvirt sandboxing on 18.04 LTS

Christian Ehrhardt

On Thu, Sep 6, 2018 at 8:20 PM Seth Arnold <[hidden email]> wrote:
Hello,

Jann Horn has discovered that qemu's seccomp blacklist is not properly
applied to all threads. This means the security hardening is nearly
useless.

We'd like to fix this issue so the users who opt-in to the seccomp
filtering will get the benefits they expect. However, this change feels
like it brings more than the usual amount of regression risk, so we'd like
to call for tests from the wider community.

If you're in a position to try an updated qemu package on 18.04 LTS,
we'd like to hear your results.

Hi Seth,
after none of us sent the mail it seems now we both did :-)
So let me add some references here FYI.
I had already sent the same at [1][2]

We had one reply [3] so far with a TL;DR of:
- yes sandbox feature is used
- proposed change works

 
The bug report to coordinate the effort:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551
The package repository:
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3395

You may need to set seccomp_sandbox = 1 in your /etc/libvirt/qemu.conf
and restart the libvirt service and any running VMs.

Some errors may be difficult to spot. Some kernels will report seccomp
denials to dmesg or auditd and some kernels will not report anything.

Thanks
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel


--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel