Re: [Qemu-stable] [Qemu-devel] [PATCH] seccomp: add the asynchronous I/O syscalls to the whitelist

[Paul Moore]

On Wednesday, July 10, 2013 10:02:55 PM Andreas Färber wrote:
> Am 10.07.2013 16:31, schrieb Paul Moore:
> > On Wednesday, May 29, 2013 04:30:01 PM Paul Moore wrote:
> >> In order to enable the asynchronous I/O functionality when using the
> >> seccomp sandbox we need to add the associated syscalls to the
> >> whitelist.
> >> 
> >> Signed-off-by: Paul Moore <address@hidden>
> >> ---
> >> 
> >>  qemu-seccomp.c |    5 ++++-
> >>  1 file changed, 4 insertions(+), 1 deletion(-)
> >> 
> >> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> >> index 031da1d..ca123bf 100644
> >> --- a/qemu-seccomp.c
> >> +++ b/qemu-seccomp.c
> >> @@ -87,6 +87,7 @@ static const struct QemuSeccompSyscall
> >> seccomp_whitelist[] = { { SCMP_SYS(stat), 245 },
> >> 
> >>      { SCMP_SYS(uname), 245 },
> >>      { SCMP_SYS(eventfd2), 245 },
> >> 
> >> +    { SCMP_SYS(io_getevents), 245 },
> >> 
> >>      { SCMP_SYS(dup), 245 },
> >>      { SCMP_SYS(dup2), 245 },
> >>      { SCMP_SYS(dup3), 245 },
> >> 
> >> @@ -229,7 +230,9 @@ static const struct QemuSeccompSyscall
> >> seccomp_whitelist[] = { { SCMP_SYS(sendmmsg), 241 },
> >> 
> >>      { SCMP_SYS(recvmmsg), 241 },
> >>      { SCMP_SYS(prlimit64), 241 },
> >> 
> >> -    { SCMP_SYS(waitid), 241 }
> >> +    { SCMP_SYS(waitid), 241 },
> >> +    { SCMP_SYS(io_setup), 241 },
> >> +    { SCMP_SYS(io_destroy), 241 }
> >> 
> >>  };
> >>  
> >>  int seccomp_start(void)
> > 
> > Any reason this patch wasn't pulled in for 1.5.1?
> 
> Yes: You forget to put a line Cc: address@hidden into the commit
> message nor was it ever CC'ed while on the list. ;)

You learn something new everyday, thanks.

Can I assume this will make it into 1.5.2 now?

-- 
paul moore
security and virtualization @ redhat