call for testing -- qemu / libvirt sandboxing on 18.04 LTS

Christian Ehrhardt christian.ehrhardt at canonical.com
Fri Sep 7 05:41:06 UTC 2018 

On Thu, Sep 6, 2018 at 8:20 PM Seth Arnold <seth.arnold at canonical.com>
wrote:

> Hello,
>
> Jann Horn has discovered that qemu's seccomp blacklist is not properly
> applied to all threads. This means the security hardening is nearly
> useless.
>
> We'd like to fix this issue so the users who opt-in to the seccomp
> filtering will get the benefits they expect. However, this change feels
> like it brings more than the usual amount of regression risk, so we'd like
> to call for tests from the wider community.
>
> If you're in a position to try an updated qemu package on 18.04 LTS,
> we'd like to hear your results.
>

Hi Seth,
after none of us sent the mail it seems now we both did :-)
So let me add some references here FYI.
I had already sent the same at [1][2]

We had one reply [3] so far with a TL;DR of:
- yes sandbox feature is used
- proposed change works

[1]:
https://lists.ubuntu.com/archives/ubuntu-server/2018-September/007740.html
[2]:
https://lists.ubuntu.com/archives/ubuntu-devel/2018-September/040483.html
[3]:
https://lists.ubuntu.com/archives/ubuntu-server/2018-September/007741.html


> The bug report to coordinate the effort:
> https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551
> The package repository:
> https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3395
>
> You may need to set seccomp_sandbox = 1 in your /etc/libvirt/qemu.conf
> and restart the libvirt service and any running VMs.
>
> Some errors may be difficult to spot. Some kernels will report seccomp
> denials to dmesg or auditd and some kernels will not report anything.
>
> Thanks
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20180907/e0680b78/attachment.html>

More information about the ubuntu-devel mailing list