* [Qemu-devel] seccomp missing calls in 2.7.0? @ 2016-09-06 15:27 Brian Rak 2016-09-06 16:43 ` Eduardo Otubo 0 siblings, 1 reply; 7+ messages in thread From: Brian Rak @ 2016-09-06 15:27 UTC (permalink / raw) To: qemu-devel I've been testing out 2.7.0 with seccomp support. Whenever I connect to the VNC console, the process gets killed by the kernel. dmesg shows: audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107 ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64" sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0 syscall 98 appears to be getrusage, which does not appear in qemu-seccomp.c. Is seccomp a supported feature these days? I'm guessing it does not get a whole lot of use. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0? 2016-09-06 15:27 [Qemu-devel] seccomp missing calls in 2.7.0? Brian Rak @ 2016-09-06 16:43 ` Eduardo Otubo 2016-09-07 19:55 ` Brian Rak 0 siblings, 1 reply; 7+ messages in thread From: Eduardo Otubo @ 2016-09-06 16:43 UTC (permalink / raw) To: Brian Rak, qemu-devel This feature is enabled by default in virt-test/avocado and yes lots of people use it. Please send a patch and I'll merge it. On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com> wrote: > I've been testing out 2.7.0 with seccomp support. Whenever I connect to > the VNC console, the process gets killed by the kernel. dmesg shows: > > audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107 > ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64" > sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0 > > syscall 98 appears to be getrusage, which does not appear in > qemu-seccomp.c. > > Is seccomp a supported feature these days? I'm guessing it does not get > a whole lot of use. > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0? 2016-09-06 16:43 ` Eduardo Otubo @ 2016-09-07 19:55 ` Brian Rak 2016-09-13 8:12 ` Eduardo Otubo 0 siblings, 1 reply; 7+ messages in thread From: Brian Rak @ 2016-09-07 19:55 UTC (permalink / raw) To: Eduardo Otubo, qemu-devel --- src_clean/qemu-seccomp.c 2016-09-02 11:34:22.000000000 -0400 +++ src/qemu-seccomp.c 2016-09-06 11:28:23.189162653 -0400 @@ -65,6 +65,7 @@ { SCMP_SYS(prctl), 245 }, { SCMP_SYS(signalfd), 245 }, { SCMP_SYS(getrlimit), 245 }, + { SCMP_SYS(getrusage), 245 }, { SCMP_SYS(set_tid_address), 245 }, { SCMP_SYS(statfs), 245 }, { SCMP_SYS(unlink), 245 }, On 9/6/2016 12:43 PM, Eduardo Otubo wrote: > > This feature is enabled by default in virt-test/avocado and yes lots > of people use it. > > Please send a patch and I'll merge it. > > > On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com > <mailto:brak@gameservers.com>> wrote: > > I've been testing out 2.7.0 with seccomp support. Whenever I > connect to > the VNC console, the process gets killed by the kernel. dmesg shows: > > audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107 > ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64" > sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0 > > syscall 98 appears to be getrusage, which does not appear in > qemu-seccomp.c. > > Is seccomp a supported feature these days? I'm guessing it does > not get > a whole lot of use. > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0? 2016-09-07 19:55 ` Brian Rak @ 2016-09-13 8:12 ` Eduardo Otubo 2016-09-13 19:17 ` Brian Rak 0 siblings, 1 reply; 7+ messages in thread From: Eduardo Otubo @ 2016-09-13 8:12 UTC (permalink / raw) To: Brian Rak; +Cc: qemu-devel On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak <brak@gameservers.com> wrote: > --- src_clean/qemu-seccomp.c 2016-09-02 11:34:22.000000000 -0400 > +++ src/qemu-seccomp.c 2016-09-06 11:28:23.189162653 -0400 > @@ -65,6 +65,7 @@ > { SCMP_SYS(prctl), 245 }, > { SCMP_SYS(signalfd), 245 }, > { SCMP_SYS(getrlimit), 245 }, > + { SCMP_SYS(getrusage), 245 }, > { SCMP_SYS(set_tid_address), 245 }, > { SCMP_SYS(statfs), 245 }, > { SCMP_SYS(unlink), 245 }, Hi, Care to send a proper commit message, stating the use case, issues, etc? Thanks, > > > On 9/6/2016 12:43 PM, Eduardo Otubo wrote: > > This feature is enabled by default in virt-test/avocado and yes lots of > people use it. > > Please send a patch and I'll merge it. > > > On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com> wrote: >> >> I've been testing out 2.7.0 with seccomp support. Whenever I connect to >> the VNC console, the process gets killed by the kernel. dmesg shows: >> >> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107 >> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64" >> sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0 >> >> syscall 98 appears to be getrusage, which does not appear in >> qemu-seccomp.c. >> >> Is seccomp a supported feature these days? I'm guessing it does not get >> a whole lot of use. >> >> > -- Eduardo Otubo ProfitBricks ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0? 2016-09-13 8:12 ` Eduardo Otubo @ 2016-09-13 19:17 ` Brian Rak 2016-09-19 9:45 ` Markus Armbruster 0 siblings, 1 reply; 7+ messages in thread From: Brian Rak @ 2016-09-13 19:17 UTC (permalink / raw) To: Eduardo Otubo; +Cc: qemu-devel getrusage is used in a number of places throughout the qemu codebase (notably, in crypto/pbkdf.c). Without this syscall being whitelisted, qemu ends up getting killed by the kernel whenever you try to connect to a VNC console. --- qemu-seccomp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index cb569dc..df75d9c 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -65,6 +65,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { { SCMP_SYS(prctl), 245 }, { SCMP_SYS(signalfd), 245 }, { SCMP_SYS(getrlimit), 245 }, + { SCMP_SYS(getrusage), 245 }, { SCMP_SYS(set_tid_address), 245 }, { SCMP_SYS(statfs), 245 }, { SCMP_SYS(unlink), 245 }, -- 2.8.2 On 9/13/2016 4:12 AM, Eduardo Otubo wrote: > On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak <brak@gameservers.com> wrote: >> --- src_clean/qemu-seccomp.c 2016-09-02 11:34:22.000000000 -0400 >> +++ src/qemu-seccomp.c 2016-09-06 11:28:23.189162653 -0400 >> @@ -65,6 +65,7 @@ >> { SCMP_SYS(prctl), 245 }, >> { SCMP_SYS(signalfd), 245 }, >> { SCMP_SYS(getrlimit), 245 }, >> + { SCMP_SYS(getrusage), 245 }, >> { SCMP_SYS(set_tid_address), 245 }, >> { SCMP_SYS(statfs), 245 }, >> { SCMP_SYS(unlink), 245 }, > Hi, > > Care to send a proper commit message, stating the use case, issues, etc? > > Thanks, > >> >> On 9/6/2016 12:43 PM, Eduardo Otubo wrote: >> >> This feature is enabled by default in virt-test/avocado and yes lots of >> people use it. >> >> Please send a patch and I'll merge it. >> >> >> On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com> wrote: >>> I've been testing out 2.7.0 with seccomp support. Whenever I connect to >>> the VNC console, the process gets killed by the kernel. dmesg shows: >>> >>> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107 >>> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64" >>> sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0 >>> >>> syscall 98 appears to be getrusage, which does not appear in >>> qemu-seccomp.c. >>> >>> Is seccomp a supported feature these days? I'm guessing it does not get >>> a whole lot of use. >>> >>> > > ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0? 2016-09-13 19:17 ` Brian Rak @ 2016-09-19 9:45 ` Markus Armbruster 2016-09-19 9:47 ` Eduardo Otubo 0 siblings, 1 reply; 7+ messages in thread From: Markus Armbruster @ 2016-09-19 9:45 UTC (permalink / raw) To: Brian Rak; +Cc: Eduardo Otubo, qemu-devel Brian Rak <brak@gameservers.com> writes: > getrusage is used in a number of places throughout the qemu codebase > (notably, in crypto/pbkdf.c). > Without this syscall being whitelisted, qemu ends up getting killed by > the kernel whenever you > try to connect to a VNC console. The body of the commit message now looks good to me, but the headline is still off. It should be something like "seccomp: Add getrusage() to whitelist". Perhaps Eduardo is willing to touch it up on commit. If not, you need to resend your patch as a top-level message (not in reply to anything) with the subject fixed. Please consider using git-send-email. Thanks! http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0? 2016-09-19 9:45 ` Markus Armbruster @ 2016-09-19 9:47 ` Eduardo Otubo 0 siblings, 0 replies; 7+ messages in thread From: Eduardo Otubo @ 2016-09-19 9:47 UTC (permalink / raw) To: Markus Armbruster; +Cc: Brian Rak, qemu-devel [-- Attachment #1: Type: text/plain, Size: 995 bytes --] On Mon, Sep 19, 2016 at 11=45=47AM +0200, Markus Armbruster wrote: > Brian Rak <brak@gameservers.com> writes: > > > getrusage is used in a number of places throughout the qemu codebase > > (notably, in crypto/pbkdf.c). > > Without this syscall being whitelisted, qemu ends up getting killed by > > the kernel whenever you > > try to connect to a VNC console. > > The body of the commit message now looks good to me, but the headline is > still off. It should be something like "seccomp: Add getrusage() to > whitelist". > > Perhaps Eduardo is willing to touch it up on commit. If not, you need > to resend your patch as a top-level message (not in reply to anything) > with the subject fixed. Please consider using git-send-email. Thanks! > > http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches Yep, that's not a problem now. I'll fix that. But yeah, please stick to the guidelines next time :) Regards, -- Eduardo Otubo ProfitBricks GmbH [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 473 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-09-19 9:48 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-09-06 15:27 [Qemu-devel] seccomp missing calls in 2.7.0? Brian Rak 2016-09-06 16:43 ` Eduardo Otubo 2016-09-07 19:55 ` Brian Rak 2016-09-13 8:12 ` Eduardo Otubo 2016-09-13 19:17 ` Brian Rak 2016-09-19 9:45 ` Markus Armbruster 2016-09-19 9:47 ` Eduardo Otubo
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.