Hello, Jann Horn has discovered that qemu's seccomp blacklist is not properly applied to all threads. This means the security hardening is nearly useless.
We'd like to fix this issue so the users who opt-in to the seccomp filtering will get the benefits they expect. However, this change feels like it brings more than the usual amount of regression risk, so we'd like to call for tests from the wider community. If you're in a position to try an updated qemu package on 18.04 LTS, we'd like to hear your results. The bug report to coordinate the effort: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551 The package repository: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3395 You may need to set seccomp_sandbox = 1 in your /etc/libvirt/qemu.conf and restart the libvirt service and any running VMs. Some errors may be difficult to spot. Some kernels will report seccomp denials to dmesg or auditd and some kernels will not report anything. Thanks
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
