On Thu, Sep 6, 2018 at 8:20 PM Seth Arnold <[email protected]> wrote:
> Hello, > > Jann Horn has discovered that qemu's seccomp blacklist is not properly > applied to all threads. This means the security hardening is nearly > useless. > > We'd like to fix this issue so the users who opt-in to the seccomp > filtering will get the benefits they expect. However, this change feels > like it brings more than the usual amount of regression risk, so we'd like > to call for tests from the wider community. > > If you're in a position to try an updated qemu package on 18.04 LTS, > we'd like to hear your results. > Hi Seth, after none of us sent the mail it seems now we both did :-) So let me add some references here FYI. I had already sent the same at [1][2] We had one reply [3] so far with a TL;DR of: - yes sandbox feature is used - proposed change works [1]: https://lists.ubuntu.com/archives/ubuntu-server/2018-September/007740.html [2]: https://lists.ubuntu.com/archives/ubuntu-devel/2018-September/040483.html [3]: https://lists.ubuntu.com/archives/ubuntu-server/2018-September/007741.html > The bug report to coordinate the effort: > https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551 > The package repository: > https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3395 > > You may need to set seccomp_sandbox = 1 in your /etc/libvirt/qemu.conf > and restart the libvirt service and any running VMs. > > Some errors may be difficult to spot. Some kernels will report seccomp > denials to dmesg or auditd and some kernels will not report anything. > > Thanks > -- > ubuntu-devel mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel > -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
-- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
