Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist

From:	Florian Weimer
Subject:	Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist
Date:	Fri, 24 Jan 2020 11:06:32 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

* David Alan Gilbert:

> * Florian Weimer (address@hidden) wrote:
>> * David Alan Gilbert:
>> 
>> > +static const int syscall_whitelist[] = {
>> > +    /* TODO ireg sem*() syscalls */
>> > +    SCMP_SYS(brk),
>> > +    SCMP_SYS(capget), /* For CAP_FSETID */
>> > +    SCMP_SYS(capset),
>> > +    SCMP_SYS(clock_gettime),
>> 
>> > +    SCMP_SYS(gettimeofday),
>> 
>> Is this to suppose to work on 32-bit architectures?  Then you need to
>> add the time64 system call variants as well.
>
> Trying SCMP_SYS(time64) gives me an error for an undefined __NR_time64
> on both 64 and 32 bit.

Sorry, time64 does not exist, Userspace is supposed to use
clock_gettime64 with CLOCK_REALTIME_COARSE.

I actually meant that you'll also need futex_time64, ppoll_time64,
recvmmsg_time64, utimensat_time64.  (Based on cursory checking against
the permit list you posted.)

And for a port to 32-bit RISC-V, I think the 32-bit syscalls need to be
protected by #ifdef because new 32-bit architectures do not have them
anymore.

Thanks,
Florian

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 047/109] virtiofsd: use /proc/self/fd/ O_PATH file descriptor, (continued)
- [PATCH v2 047/109] virtiofsd: use /proc/self/fd/ O_PATH file descriptor, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 048/109] virtiofsd: sandbox mount namespace, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 049/109] virtiofsd: move to an empty network namespace, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Dr. David Alan Gilbert (git), 2020/01/21
  - Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Philippe Mathieu-Daudé, 2020/01/21
    - Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Dr. David Alan Gilbert, 2020/01/21
    - Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Philippe Mathieu-Daudé, 2020/01/21
  - Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Florian Weimer, 2020/01/24
    - Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Dr. David Alan Gilbert, 2020/01/24
    - Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Dr. David Alan Gilbert, 2020/01/24
    - Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist, Florian Weimer <=
- [PATCH v2 050/109] virtiofsd: move to a new pid namespace, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 052/109] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 053/109] virtiofsd: cap-ng helpers, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 054/109] virtiofsd: Drop CAP_FSETID if client asked for it, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 055/109] virtiofsd: set maximum RLIMIT_NOFILE limit, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 056/109] virtiofsd: fix libfuse information leaks, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 057/109] docs: Add docs/tools, Dr. David Alan Gilbert (git), 2020/01/21
  - Re: [PATCH v2 057/109] docs: Add docs/tools, Philippe Mathieu-Daudé, 2020/01/22
- [PATCH v2 058/109] virtiofsd: add security guide document, Dr. David Alan Gilbert (git), 2020/01/21
- [PATCH v2 059/109] virtiofsd: add --syslog command-line option, Dr. David Alan Gilbert (git), 2020/01/21

Prev by Date: Re: [PATCH] s390x: sigp: Fix sense running reporting
Next by Date: Re: [PULL v2 00/59] Misc (x86 and QOM) patches for 2020-01-23
Previous by thread: Re: [PATCH v2 051/109] virtiofsd: add seccomp whitelist
Next by thread: [PATCH v2 050/109] virtiofsd: move to a new pid namespace
Index(es):
- Date
- Thread