seccomp: add elevateprivileges argument to command line

This patch introduces the new argument [,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows or denies Qemu process to elevate its privileges by blacklisting all set*uid|gid system calls. The 'children' option will let forks and execves run unprivileged. Signed-off-by: Eduardo Otubo <otubo@redhat.com>
2025-08-04 00:03:54 -06:00 · 2017-03-13 22:13:27 +01:00 · 2017-03-13 22:13:27 +01:00 · 73a1e64725
commit 73a1e64725
parent 2b716fa6d6
4 changed files with 48 additions and 3 deletions
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@ -67,6 +67,17 @@ static const struct QemuSeccompSyscall blacklist[] = {
    { SCMP_SYS(sysfs),                  QEMU_SECCOMP_SET_OBSOLETE },
    { SCMP_SYS(uselib),                 QEMU_SECCOMP_SET_OBSOLETE },
    { SCMP_SYS(ustat),                  QEMU_SECCOMP_SET_OBSOLETE },
+    /* privileged */
+    { SCMP_SYS(setuid),                 QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setgid),                 QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setpgid),                QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setsid),                 QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setreuid),               QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setregid),               QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setresuid),              QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setresgid),              QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setfsuid),               QEMU_SECCOMP_SET_PRIVILEGED },
+    { SCMP_SYS(setfsgid),               QEMU_SECCOMP_SET_PRIVILEGED },
 };