Re: [Qemu-devel] [PATCH] linux-user: return EINVAL from prctl(PR_*_SECCOMP)

[James Cowgill]

Hi,

On 03/11/17 14:29, Laurent Vivier wrote:
> Le 03/11/2017 à 13:07, James Cowgill a écrit :
>> If an application tries to install a seccomp filter using
>> prctl(PR_SET_SECCOMP), the filter is likely for the target instead of the 
>> host
>> architecture. This will probably cause qemu to be immediately killed when it
>> executes another syscall.
>>
>> Prevent this from happening by returning EINVAL from both seccomp prctl
>> calls. This is the error returned by the kernel when seccomp support is
>> disabled.
>>
>> Fixes: https://bugs.launchpad.net/qemu/+bug/1726394
>> Signed-off-by: James Cowgill <address@hidden>
>> ---
>>  linux-user/syscall.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index d4497dec5d..43cd5fb2bb 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -10482,6 +10482,10 @@ abi_long do_syscall(void *cpu_env, int num, 
>> abi_long arg1,
>>              break;
>>          }
>>  #endif
>> +        case PR_GET_SECCOMP:
>> +        case PR_SET_SECCOMP:
>> +            ret = -TARGET_EINVAL;
>> +            break;
>>          default:
>>              /* Most prctl options have no pointer arguments */
>>              ret = get_errno(prctl(arg1, arg2, arg3, arg4, arg5));
>>
> 
> I think we should allow PR_GET_SECCOMP, and at least all the modes
> except SECCOMP_MODE_FILTER for PR_SET_SECCOMP.

I tried allowing SECCOMP_MODE_STRICT and made a small test program. It
seems that qemu is SIGKILLed when _exit is used because qemu itself
tries to call rt_sigprocmask which is not an allowed syscall.

PR_GET_SECCOMP can probably be allowed. My reasoning for disabling it
was to match the kernel behavior for when seccomp is disabled by the
Kconfig option.

Thanks,
James