Re: [Qemu-devel] seccomp missing calls in 2.7.0?

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] seccomp missing calls in 2.7.0?

From:	Brian Rak
Subject:	Re: [Qemu-devel] seccomp missing calls in 2.7.0?
Date:	Tue, 13 Sep 2016 15:17:52 -0400
User-agent:	Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

getrusage is used in a number of places throughout the qemu codebase(notably, in crypto/pbkdf.c).Without this syscall being whitelisted, qemu ends up getting killed bythe kernel whenever you

try to connect to a VNC console.
---
 qemu-seccomp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index cb569dc..df75d9c 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c

@@ -65,6 +65,7 @@ static const struct QemuSeccompSyscallseccomp_whitelist[] = {

     { SCMP_SYS(prctl), 245 },
     { SCMP_SYS(signalfd), 245 },
     { SCMP_SYS(getrlimit), 245 },
+    { SCMP_SYS(getrusage), 245 },
     { SCMP_SYS(set_tid_address), 245 },
     { SCMP_SYS(statfs), 245 },
     { SCMP_SYS(unlink), 245 },
--
2.8.2


On 9/13/2016 4:12 AM, Eduardo Otubo wrote:

On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak <address@hidden> wrote:

--- src_clean/qemu-seccomp.c    2016-09-02 11:34:22.000000000 -0400
+++ src/qemu-seccomp.c    2016-09-06 11:28:23.189162653 -0400
@@ -65,6 +65,7 @@
      { SCMP_SYS(prctl), 245 },
      { SCMP_SYS(signalfd), 245 },
      { SCMP_SYS(getrlimit), 245 },
+    { SCMP_SYS(getrusage), 245 },
      { SCMP_SYS(set_tid_address), 245 },
      { SCMP_SYS(statfs), 245 },
      { SCMP_SYS(unlink), 245 },

Hi,

Care to send a proper commit message, stating the use case, issues, etc?

Thanks,


On 9/6/2016 12:43 PM, Eduardo Otubo wrote:

This feature is enabled by default in virt-test/avocado and yes lots of
people use it.

Please send a patch and I'll merge it.


On Tue, Sep 6, 2016, 18:41 Brian Rak <address@hidden> wrote:

I've been testing out 2.7.0 with seccomp support.  Whenever I connect to
the VNC console, the process gets killed by the kernel.  dmesg shows:

audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0

syscall 98 appears to be getrusage, which does not appear in
qemu-seccomp.c.

Is seccomp a supported feature these days?  I'm guessing it does not get
a whole lot of use.

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] seccomp missing calls in 2.7.0?, Brian Rak, 2016/09/06
- Re: [Qemu-devel] seccomp missing calls in 2.7.0?, Eduardo Otubo, 2016/09/06
  - Re: [Qemu-devel] seccomp missing calls in 2.7.0?, Brian Rak, 2016/09/07
    - Re: [Qemu-devel] seccomp missing calls in 2.7.0?, Eduardo Otubo, 2016/09/13
    - Re: [Qemu-devel] seccomp missing calls in 2.7.0?, Brian Rak <=
    - Re: [Qemu-devel] seccomp missing calls in 2.7.0?, Markus Armbruster, 2016/09/19
    - Re: [Qemu-devel] seccomp missing calls in 2.7.0?, Eduardo Otubo, 2016/09/19

Prev by Date: [Qemu-devel] [Bug 889053] Re: x86: FPU_MAX, FPU_MIN incorrect
Next by Date: Re: [Qemu-devel] [PATCH v5] migrate: Move max-bandwidth and downtime-limit to migrate_set_parameter
Previous by thread: Re: [Qemu-devel] seccomp missing calls in 2.7.0?
Next by thread: Re: [Qemu-devel] seccomp missing calls in 2.7.0?
Index(es):
- Date
- Thread