qemu: deny privilege elevation and spawn in seccomp

If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
no longer tries to whitelist all the calls, but uses sets
of blacklists:
default (always blacklisted with -sandbox on)
obsolete (defaults to deny)
elevateprivileges (setuid & co, default: allow)
spawn (fork & execve, default: allow)
resourcecontrol (setaffinity, setscheduler, default: allow)

If these are supported, default to sandbox with all four
categories blacklisted.

https://bugzilla.redhat.com/show_bug.cgi?id=1492597

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

src/qemu/qemu.conf

@@ -669,9 +669,13 @@
 
 
 
-# Use seccomp syscall whitelisting in QEMU.
+# Use seccomp syscall sandbox in QEMU.
-# 1 = on, 0 = off, -1 = use QEMU default
+# 1 == seccomp enabled, 0 == seccomp disabled
-# Defaults to -1.
+#
+# If it is unset (or -1), then seccomp will be enabled
+# only if QEMU >= 2.11.0 is detected, otherwise it is
+# left disabled. This ensures the default config gets
+# protection for new QEMU using the blacklist approach.
 #
 #seccomp_sandbox = 1
 

src/qemu/qemu_command.c

@@ -9734,6 +9734,16 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd,
         return 0;
     }
 
+    /* Use blacklist by default if supported */
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
+        virCommandAddArgList(cmd, "-sandbox",
+                             "on,obsolete=deny,elevateprivileges=deny,"
+                             "spawn=deny,resourcecontrol=deny",
+                             NULL);
+        return 0;
+    }
+
+    /* Seccomp whitelist is opt-in */
     if (cfg->seccompSandbox > 0)
         virCommandAddArgList(cmd, "-sandbox", "on", NULL);
 

tests/qemuxml2argvdata/minimal-sandbox.args

@@ -0,0 +1,29 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-i686 \
+-name QEMUGuest1 \
+-S \
+-machine pc,accel=tcg,usb=off,dump-guest-core=off \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
+server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot c \
+-usb \
+-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \
+-device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny

tests/qemuxml2argvdata/minimal-sandbox.xml

@@ -0,0 +1,34 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <title>A description of the test machine.</title>
+  <description>
+      A test of qemu&apos;s minimal configuration.
+      This test also tests the description and title elements.
+  </description>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-i686</emulator>
+    <disk type='block' device='disk'>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>

tests/qemuxml2argvtest.c

@@ -728,6 +728,8 @@ mymain(void)
     unsetenv("SDL_AUDIODRIVER");
 
     DO_TEST("minimal", NONE);
+    DO_TEST("minimal-sandbox",
+            QEMU_CAPS_SECCOMP_BLACKLIST);
     DO_TEST_PARSE_ERROR("minimal-no-memory", NONE);
     DO_TEST("minimal-msg-timestamp", QEMU_CAPS_MSG_TIMESTAMP);
     DO_TEST("machine-aliases1", NONE);