seccomp: block setns, unshare and execveat syscalls

setns/unshare are used to change namespaces which is not something QEMU needs to be able todo. execveat is a new variant of execve so should be blocked just like execve already is. Acked-by: Eduardo Otubo <otubo@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-04-29 11:25:13 +01:00 · 2021-04-29 11:25:13 +01:00 · 4638057110
parent c542b30270
commit 4638057110
1 changed files with 5 additions and 0 deletions
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@ -248,6 +248,11 @@ static const struct QemuSeccompSyscall denylist[] = {
    { SCMP_SYS(clone3),                 QEMU_SECCOMP_SET_SPAWN,
      0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
 #endif
+#ifdef __SNR_execveat
+    { SCMP_SYS(execveat),               QEMU_SECCOMP_SET_SPAWN },
+#endif
+    { SCMP_SYS(setns),                  QEMU_SECCOMP_SET_SPAWN },
+    { SCMP_SYS(unshare),                QEMU_SECCOMP_SET_SPAWN },
    /* resource control */
    { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL,
      0, NULL, SCMP_ACT_ERRNO(EPERM) },