Re: [Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvis

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvis

From:	Eduardo Otubo
Subject:	Re: [Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()
Date:	Tue, 16 Sep 2014 15:43:04 +0200

On Fri, Sep 5, 2014 at 6:29 PM, Philipp Gesang
<address@hidden> wrote:
> fallocate() is needed for snapshotting. If it isn’t whitelisted
>
>     $ qemu-img create -f qcow2 x.qcow 1G
>     Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off 
> cluster_size=65536 lazy_refcounts=off
>     $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
>     QEMU 2.1.50 monitor - type 'help' for more information
>     (qemu) savevm foo
>     (qemu) loadvm foo
>
> will fail, as will subsequent savevm commands on the same image.
>
> fadvise64(), inotify_init1(), inotify_add_watch() are needed by
> the SDL display. Without the whitelist entries,
>
>     qemu-kvm -sandbox on
>
> fails immediately.
>
> In my tests fadvise64() is called 50--51 times per VM run. That
> number seems independent of the duration of the run. fallocate(),
> inotify_init1(), inotify_add_watch() are called once each.
> Accordingly, they are added to the whitelist at a very low
> priority.

Just realized my ACK was just for you not the list, so: ACK.
I just had some major problems last week that are still open, so I'll
try to manage a pull request ASAP. Sorry for the delay.

Thanks for the patch.

>
> Signed-off-by: Philipp Gesang <address@hidden>
> ---
>  qemu-seccomp.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 0503764..af6a375 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -231,7 +231,11 @@ static const struct QemuSeccompSyscall 
> seccomp_whitelist[] = {
>      { SCMP_SYS(shmctl), 240 },
>      { SCMP_SYS(mlock), 240 },
>      { SCMP_SYS(munlock), 240 },
> -    { SCMP_SYS(semctl), 240 }
> +    { SCMP_SYS(semctl), 240 },
> +    { SCMP_SYS(fallocate), 240 },
> +    { SCMP_SYS(fadvise64), 240 },
> +    { SCMP_SYS(inotify_init1), 240 },
> +    { SCMP_SYS(inotify_add_watch), 240 }
>  };
>
>  int seccomp_start(void)
> --
> 1.9.3
>



-- 
Eduardo Otubo
ProfitBricks

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch(), Philipp Gesang, 2014/09/05
- Re: [Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch(), Eduardo Otubo <=

Prev by Date: Re: [Qemu-devel] [PATCH] virtio-balloon: fix buffer overflow in memory stats feature
Next by Date: Re: [Qemu-devel] [PATCH] virtio-balloon: fix buffer overflow in memory stats feature
Previous by thread: [Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()
Next by thread: [Qemu-devel] [PATCH] target-ppc: Implement IVOR[59] By Default for Book E
Index(es):
- Date
- Thread