From patchwork Thu Aug 23 14:52:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eduardo Otubo X-Patchwork-Id: 10574237 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BB1FD5A4 for ; Thu, 23 Aug 2018 15:08:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 985602C06E for ; Thu, 23 Aug 2018 15:08:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 89C682C074; Thu, 23 Aug 2018 15:08:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 352802C06E for ; Thu, 23 Aug 2018 15:08:02 +0000 (UTC) Received: from localhost ([::1]:37094 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsrDN-0005XT-4L for patchwork-qemu-devel@patchwork.kernel.org; Thu, 23 Aug 2018 11:08:01 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48439) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsqyV-0003xd-M6 for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fsqyU-0008D9-EG for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:39 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55746 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fsqyU-0008CZ-8k for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:38 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DB018804BAAC; Thu, 23 Aug 2018 14:52:37 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-73.ams2.redhat.com [10.36.117.73]) by smtp.corp.redhat.com (Postfix) with ESMTP id A86602156701; Thu, 23 Aug 2018 14:52:36 +0000 (UTC) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Thu, 23 Aug 2018 16:52:27 +0200 Message-Id: <20180823145230.13183-2-otubo@redhat.com> In-Reply-To: <20180823145230.13183-1-otubo@redhat.com> References: <20180823145230.13183-1-otubo@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 23 Aug 2018 14:52:37 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 23 Aug 2018 14:52:37 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'otubo@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PULL 1/4] seccomp: use SIGSYS signal instead of killing the thread X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pmoore@redhat.com, peter.maydell@linaro.org, marcandre.lureau@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Marc-André Lureau The seccomp action SCMP_ACT_KILL results in immediate termination of the thread that made the bad system call. However, qemu being multi-threaded, it keeps running. There is no easy way for parent process / management layer (libvirt) to know about that situation. Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP will terminate the program and core dump. This may not be the most secure solution, but probably better than just killing the offending thread. SCMP_ACT_KILL_PROCESS has been added in Linux 4.14 to improve the situation, which I propose to use by default if available in the next patch. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1594456 Signed-off-by: Marc-André Lureau Reviewed-by: Daniel P. Berrangé Acked-by: Eduardo Otubo --- qemu-seccomp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 9cd8eb9499..b117a92559 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -125,7 +125,7 @@ static int seccomp_start(uint32_t seccomp_opts) continue; } - rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num, + rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num, blacklist[i].narg, blacklist[i].arg_cmp); if (rc < 0) { goto seccomp_return; From patchwork Thu Aug 23 14:52:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eduardo Otubo X-Patchwork-Id: 10574267 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EA8DF109C for ; Thu, 23 Aug 2018 15:21:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7AEA2C394 for ; Thu, 23 Aug 2018 15:21:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C58BC2C3A8; Thu, 23 Aug 2018 15:21:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 8060B2C397 for ; Thu, 23 Aug 2018 15:21:01 +0000 (UTC) Received: from localhost ([::1]:37183 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsrPw-0001tl-Jj for patchwork-qemu-devel@patchwork.kernel.org; Thu, 23 Aug 2018 11:21:00 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48459) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsqyW-0003xh-WD for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fsqyV-0008EM-Tk for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:40 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55750 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fsqyV-0008Dt-Mw for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:39 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5FC38804BAAC; Thu, 23 Aug 2018 14:52:39 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-73.ams2.redhat.com [10.36.117.73]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2A6182156701; Thu, 23 Aug 2018 14:52:38 +0000 (UTC) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Thu, 23 Aug 2018 16:52:28 +0200 Message-Id: <20180823145230.13183-3-otubo@redhat.com> In-Reply-To: <20180823145230.13183-1-otubo@redhat.com> References: <20180823145230.13183-1-otubo@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 23 Aug 2018 14:52:39 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 23 Aug 2018 14:52:39 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'otubo@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PULL 2/4] seccomp: prefer SCMP_ACT_KILL_PROCESS if available X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pmoore@redhat.com, peter.maydell@linaro.org, marcandre.lureau@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Marc-André Lureau The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS action (https://github.com/seccomp/libseccomp/issues/96). SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the offending process, rather than having the SIGSYS handler running. Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support, as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still prefer SCMP_ACT_TRAP. Signed-off-by: Marc-André Lureau Reviewed-by: Daniel P. Berrangé Acked-by: Eduardo Otubo --- qemu-seccomp.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index b117a92559..f0c833f3ca 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -20,6 +20,7 @@ #include #include #include "sysemu/seccomp.h" +#include /* For some architectures (notably ARM) cacheflush is not supported until * libseccomp 2.2.3, but configure enforces that we are using a more recent @@ -107,12 +108,40 @@ static const struct QemuSeccompSyscall blacklist[] = { { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL }, }; +static inline __attribute__((unused)) int +qemu_seccomp(unsigned int operation, unsigned int flags, void *args) +{ +#ifdef __NR_seccomp + return syscall(__NR_seccomp, operation, flags, args); +#else + errno = ENOSYS; + return -1; +#endif +} + +static uint32_t qemu_seccomp_get_kill_action(void) +{ +#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \ + defined(SECCOMP_RET_KILL_PROCESS) + { + uint32_t action = SECCOMP_RET_KILL_PROCESS; + + if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { + return SCMP_ACT_KILL_PROCESS; + } + } +#endif + + return SCMP_ACT_TRAP; +} + static int seccomp_start(uint32_t seccomp_opts) { int rc = 0; unsigned int i = 0; scmp_filter_ctx ctx; + uint32_t action = qemu_seccomp_get_kill_action(); ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) { @@ -125,7 +154,7 @@ static int seccomp_start(uint32_t seccomp_opts) continue; } - rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num, + rc = seccomp_rule_add_array(ctx, action, blacklist[i].num, blacklist[i].narg, blacklist[i].arg_cmp); if (rc < 0) { goto seccomp_return; From patchwork Thu Aug 23 14:52:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eduardo Otubo X-Patchwork-Id: 10574297 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9A339921 for ; Thu, 23 Aug 2018 15:34:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C1A8205F8 for ; Thu, 23 Aug 2018 15:34:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6F73C2BF7C; Thu, 23 Aug 2018 15:34:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 29EBE205F8 for ; Thu, 23 Aug 2018 15:34:29 +0000 (UTC) Received: from localhost ([::1]:37291 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsrcy-0004r8-Fs for patchwork-qemu-devel@patchwork.kernel.org; Thu, 23 Aug 2018 11:34:28 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48474) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsqyY-0003zI-Ca for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fsqyX-0008FX-FP for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:42 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55754 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fsqyX-0008FH-A5 for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:41 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E38E2804BAAC; Thu, 23 Aug 2018 14:52:40 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-73.ams2.redhat.com [10.36.117.73]) by smtp.corp.redhat.com (Postfix) with ESMTP id A1A282156701; Thu, 23 Aug 2018 14:52:39 +0000 (UTC) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Thu, 23 Aug 2018 16:52:29 +0200 Message-Id: <20180823145230.13183-4-otubo@redhat.com> In-Reply-To: <20180823145230.13183-1-otubo@redhat.com> References: <20180823145230.13183-1-otubo@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 23 Aug 2018 14:52:40 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 23 Aug 2018 14:52:40 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'otubo@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PULL 3/4] configure: require libseccomp 2.2.0 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pmoore@redhat.com, peter.maydell@linaro.org, marcandre.lureau@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Marc-André Lureau The following patch is going to require TSYNC, which is only available since libseccomp 2.2.0. libseccomp 2.2.0 was released February 12, 2015. According to repology, libseccomp version in different distros: RHEL-7: 2.3.1 Debian (Stretch): 2.3.1 OpenSUSE Leap 15: 2.3.2 Ubuntu (Xenial): 2.3.1 This will drop support for -sandbox on: Debian (Jessie): 2.1.1 (but 2.2.3 in backports) Signed-off-by: Marc-André Lureau Acked-by: Eduardo Otubo --- configure | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/configure b/configure index e7bddc04b0..5fc2915096 100755 --- a/configure +++ b/configure @@ -2228,13 +2228,10 @@ fi ########################################## # libseccomp check +libseccomp_minver="2.2.0" if test "$seccomp" != "no" ; then case "$cpu" in - i386|x86_64) - libseccomp_minver="2.1.0" - ;; - mips) - libseccomp_minver="2.2.0" + i386|x86_64|mips) ;; arm|aarch64) libseccomp_minver="2.2.3" From patchwork Thu Aug 23 14:52:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eduardo Otubo X-Patchwork-Id: 10574271 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 54D1E109C for ; Thu, 23 Aug 2018 15:23:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3306D2C2E4 for ; Thu, 23 Aug 2018 15:23:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2700F2C2EC; Thu, 23 Aug 2018 15:23:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CF4D62C2E4 for ; Thu, 23 Aug 2018 15:23:41 +0000 (UTC) Received: from localhost ([::1]:37194 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsrSX-0002pd-4s for patchwork-qemu-devel@patchwork.kernel.org; Thu, 23 Aug 2018 11:23:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48486) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsqyZ-00040V-LP for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fsqyY-0008H0-TZ for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:43 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:60980 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fsqyY-0008Gh-OC for qemu-devel@nongnu.org; Thu, 23 Aug 2018 10:52:42 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6742A7B2B1; Thu, 23 Aug 2018 14:52:42 +0000 (UTC) Received: from vader.redhat.com (ovpn-117-73.ams2.redhat.com [10.36.117.73]) by smtp.corp.redhat.com (Postfix) with ESMTP id 31B102156701; Thu, 23 Aug 2018 14:52:41 +0000 (UTC) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Thu, 23 Aug 2018 16:52:30 +0200 Message-Id: <20180823145230.13183-5-otubo@redhat.com> In-Reply-To: <20180823145230.13183-1-otubo@redhat.com> References: <20180823145230.13183-1-otubo@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 23 Aug 2018 14:52:42 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 23 Aug 2018 14:52:42 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'otubo@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PULL 4/4] seccomp: set the seccomp filter to all threads X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pmoore@redhat.com, peter.maydell@linaro.org, marcandre.lureau@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Marc-André Lureau When using "-seccomp on", the seccomp policy is only applied to the main thread, the vcpu worker thread and other worker threads created after seccomp policy is applied; the seccomp policy is not applied to e.g. the RCU thread because it is created before the seccomp policy is applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. This can be verified with for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done Seccomp: 2 Seccomp: 0 Seccomp: 0 Seccomp: 2 Seccomp: 2 Seccomp: 2 Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy on all threads. libseccomp requirement was bumped to 2.2.0 in previous patch. libseccomp should fail to set the filter if it can't honour SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on kernel < 3.17. Signed-off-by: Marc-André Lureau Acked-by: Eduardo Otubo --- qemu-seccomp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index f0c833f3ca..4729eb107f 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -149,6 +149,11 @@ static int seccomp_start(uint32_t seccomp_opts) goto seccomp_return; } + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); + if (rc != 0) { + goto seccomp_return; + } + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { if (!(seccomp_opts & blacklist[i].set)) { continue;