[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing



QEMU has a `sandbox` feature, wherein it will use seccomp2 to restrict
what system calls it is able to make.

Suggested-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
---
This can't be checked in as-is, because `-sandbox` support may not have
been compiled in.  We therefore need to either:
 1. Require that this feature be enabled to build qemu
 2. Check for `-sandbox` support at runtime before

CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
CC: Anthony Perard <anthony.perard@xxxxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 tools/libxl/libxl_dm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 6733514370..b541c1a55e 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -1448,6 +1448,10 @@ static int libxl__build_device_model_args_new(libxl__gc 
*gc,
         // Add "-chroot [dir]" to command-line
         flexarray_append(dm_args, "-chroot");
         flexarray_append(dm_args, chroot_dir);
+
+        // Add sandboxing
+        flexarray_append(dm_args, "-sandbox");
+        flexarray_append(dm_args, 
"on,obsolete=deny,elevateprivileges=allow,spawn=deny,resourcecontrol=deny");
     }
 
     if (state->saved_state) {
-- 
2.18.0


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.