qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] seccomp: add kill() to the syscall whitelist

From: Eduardo Otubo
Subject: Re: [Qemu-devel] [PATCH] seccomp: add kill() to the syscall whitelist
Date: Thu, 21 Nov 2013 14:40:48 -0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130912 Thunderbird/17.0.9 


On 11/21/2013 01:40 PM, Paul Moore wrote:

The kill() syscall is triggered with the following command:

  # qemu -sandbox on -monitor stdio \
         -device intel-hda -device hda-duplex -vnc :0

The resulting syslog/audit message:

  # ausearch -m SECCOMP
  ----
  time->Wed Nov 20 09:52:08 2013
  type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854
   subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087
   comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0
  # scmp_sys_resolver 62
  kill

Reported-by: CongLi <address@hidden>
Tested-by: CongLi <address@hidden>
Signed-off-by: Paul Moore <address@hidden>
---
  qemu-seccomp.c |    1 +
  1 file changed, 1 insertion(+)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 69cee44..cf07869 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -114,6 +114,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] 
= {
      { SCMP_SYS(write), 244 },
      { SCMP_SYS(fcntl), 243 },
      { SCMP_SYS(tgkill), 242 },
+    { SCMP_SYS(kill), 242 },
      { SCMP_SYS(rt_sigaction), 242 },
      { SCMP_SYS(pipe2), 242 },
      { SCMP_SYS(munmap), 242 },



ACK, Reviewed and tested.
(I'll send a pull request tomorrow EOD)

Reviewed-by: Eduardo Otubo <address@hidden>

--
Eduardo Otubo
IBM Linux Technology Center
reply via email to
[Prev in Thread] Current Thread [Next in Thread]