[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 1bd615: seccomp: changing from whitelist to b
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 1bd615: seccomp: changing from whitelist to blacklist |
|
Date: |
Sat, 16 Sep 2017 04:35:49 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 1bd6152ae23549032ef4aca0d3d350512f012f05
https://github.com/qemu/qemu/commit/1bd6152ae23549032ef4aca0d3d350512f012f05
Author: Eduardo Otubo <address@hidden>
Date: 2017-09-15 (Fri, 15 Sep 2017)
Changed paths:
M include/sysemu/seccomp.h
M qemu-seccomp.c
M vl.c
Log Message:
-----------
seccomp: changing from whitelist to blacklist
This patch changes the default behavior of the seccomp filter from
whitelist to blacklist. By default now all system calls are allowed and
a small black list of definitely forbidden ones was created.
Signed-off-by: Eduardo Otubo <address@hidden>
Commit: 2b716fa6d63a183a42b789595c3944f53c0ded7c
https://github.com/qemu/qemu/commit/2b716fa6d63a183a42b789595c3944f53c0ded7c
Author: Eduardo Otubo <address@hidden>
Date: 2017-09-15 (Fri, 15 Sep 2017)
Changed paths:
M include/sysemu/seccomp.h
M qemu-options.hx
M qemu-seccomp.c
M vl.c
Log Message:
-----------
seccomp: add obsolete argument to command line
This patch introduces the argument [,obsolete=allow] to the `-sandbox on'
option. It allows Qemu to run safely on old system that still relies on
old system calls.
Signed-off-by: Eduardo Otubo <address@hidden>
Commit: 73a1e647256b09734ce64ef7a6001a0db03f7106
https://github.com/qemu/qemu/commit/73a1e647256b09734ce64ef7a6001a0db03f7106
Author: Eduardo Otubo <address@hidden>
Date: 2017-09-15 (Fri, 15 Sep 2017)
Changed paths:
M include/sysemu/seccomp.h
M qemu-options.hx
M qemu-seccomp.c
M vl.c
Log Message:
-----------
seccomp: add elevateprivileges argument to command line
This patch introduces the new argument
[,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows
or denies Qemu process to elevate its privileges by blacklisting all
set*uid|gid system calls. The 'children' option will let forks and
execves run unprivileged.
Signed-off-by: Eduardo Otubo <address@hidden>
Commit: 995a226f880b807e05240e8752d6ce65679775be
https://github.com/qemu/qemu/commit/995a226f880b807e05240e8752d6ce65679775be
Author: Eduardo Otubo <address@hidden>
Date: 2017-09-15 (Fri, 15 Sep 2017)
Changed paths:
M include/sysemu/seccomp.h
M qemu-options.hx
M qemu-seccomp.c
M vl.c
Log Message:
-----------
seccomp: add spawn argument to command line
This patch adds [,spawn=deny] argument to `-sandbox on' option. It
blacklists fork and execve system calls, avoiding Qemu to spawn new
threads or processes.
Signed-off-by: Eduardo Otubo <address@hidden>
Commit: 24f8cdc5722476e12d8e39d71f66311b4fa971c1
https://github.com/qemu/qemu/commit/24f8cdc5722476e12d8e39d71f66311b4fa971c1
Author: Eduardo Otubo <address@hidden>
Date: 2017-09-15 (Fri, 15 Sep 2017)
Changed paths:
M include/sysemu/seccomp.h
M qemu-options.hx
M qemu-seccomp.c
M vl.c
Log Message:
-----------
seccomp: add resourcecontrol argument to command line
This patch adds [,resourcecontrol=deny] to `-sandbox on' option. It
blacklists all process affinity and scheduler priority system calls to
avoid any bigger of the process.
Signed-off-by: Eduardo Otubo <address@hidden>
Commit: c3883e1f935bf11ef0d2b8157b0022ace3d0e77d
https://github.com/qemu/qemu/commit/c3883e1f935bf11ef0d2b8157b0022ace3d0e77d
Author: Fam Zheng <address@hidden>
Date: 2017-09-15 (Fri, 15 Sep 2017)
Changed paths:
M Makefile.objs
M configure
Log Message:
-----------
buildsys: Move seccomp cflags/libs to per object
Like many other libraries, libseccomp cflags and libs should only apply
to the building of necessary objects. Do so in the usual way with the
help of per object variables.
Signed-off-by: Fam Zheng <address@hidden>
Commit: 11dd4b89d0452d6587aa310c7020685642b708f7
https://github.com/qemu/qemu/commit/11dd4b89d0452d6587aa310c7020685642b708f7
Author: Peter Maydell <address@hidden>
Date: 2017-09-15 (Fri, 15 Sep 2017)
Changed paths:
M Makefile.objs
M configure
M include/sysemu/seccomp.h
M qemu-options.hx
M qemu-seccomp.c
M vl.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20170915' into
staging
pull-seccomp-20170915
# gpg: Signature made Fri 15 Sep 2017 09:21:15 BST
# gpg: using RSA key 0xDF32E7C0F0FFF9A2
# gpg: Good signature from "Eduardo Otubo (Senior Software Engineer)
<address@hidden>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: D67E 1B50 9374 86B4 0723 DBAB DF32 E7C0 F0FF F9A2
* remotes/otubo/tags/pull-seccomp-20170915:
buildsys: Move seccomp cflags/libs to per object
seccomp: add resourcecontrol argument to command line
seccomp: add spawn argument to command line
seccomp: add elevateprivileges argument to command line
seccomp: add obsolete argument to command line
seccomp: changing from whitelist to blacklist
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/5faf2d376af3...11dd4b89d045
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 1bd615: seccomp: changing from whitelist to blacklist,
GitHub <=