Comment by rwmj - Hacker Neue

rwmj Apr 28, 2017 parent

You should keep qemu up to date of course, and remove devices you don't need. But more importantly ensure you are using it through libvirt. Libvirt adds an SELinux or AppArmor layer, and a container, and enables seccomp for the qemu process. So even if the qemu process is compromised, it is very limited in what it can do to the host.

aseipp Apr 28, 2017

FWIW I've never really been impressed with QEMU's seccomp sandboxing, because it's almost entirely bolted on, and in the grand scheme, I think, does little. Does libvirt do anything substantially different or just "turn it on"?

If you look at the list of syscalls whitelisted[1], it's almost a joke -- you could literally do just about anything given those syscalls if you actually had code execution... And every one of those syscalls is a direct interface to the kernel, which becomes the weakest link in a container/LSM environment where your code will be running, presumably. How is seccomp going to stop my exploit when almost everything my exploit could ever need is whitelisted, including hundreds of syscalls that directly talk to the kernel?

I'm glad QEMU is improving their security footprint, but I honestly think its seccomp support is way overblown even though people like to bring it up... When your seccomp policy looks like the one from QEMU -- it just bans a few things they've never used, rather than only allowing things they should use. Taking advantage of it to the level of something like Chrome does (which truly mitigates attack surface with process isolation) would require almost an entire redesign of the whole thing, I think.

[1] https://github.com/qemu/qemu/blob/master/qemu-seccomp.c

rwmj OP Apr 28, 2017

Sure, I agree. It's the SELinux policy which really confines QEMU. For example the compromised QEMU will only be able to open exactly the files containing the guest's drives (not even the drives of other guests on the same host).

secur101 Apr 29, 2017

@rwmj can you please point to the list of white-listed QEMU-KVM devices used in RHEL?

rwmj OP Apr 29, 2017

The qemu source RPMs are now hosted here: https://git.centos.org/project/rpms You have to type "qemu" in the box at top right. The qemu-kvm-rhev source RPM is here: http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en...

secur101 Apr 30, 2017

Thanks for your reply. I made some suggestions for KVM and QEMU below. Also I was wondering what your POV is on my thoughts:

https://www.hackerneue.com/item?id=14227605 https://www.hackerneue.com/item?id=14228563

sdeziel Apr 28, 2017

Unfortunately on Ubuntu, seccomp is opt-in only. Works well when enabled though.

This item has no comments currently.