From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43126) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsV5v-0008RH-HZ for qemu-devel@nongnu.org; Wed, 22 Aug 2018 11:30:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fsV5r-0006KI-1Q for qemu-devel@nongnu.org; Wed, 22 Aug 2018 11:30:51 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47812 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fsV5p-0006FE-0G for qemu-devel@nongnu.org; Wed, 22 Aug 2018 11:30:46 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DF4B240241C3 for ; Wed, 22 Aug 2018 15:30:41 +0000 (UTC) Date: Wed, 22 Aug 2018 17:30:38 +0200 From: Eduardo Otubo Message-ID: <20180822153038.GJ3923@vader> References: <20180822142956.6859-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="I/5syFLg1Ed7r+1G" Content-Disposition: inline In-Reply-To: <20180822142956.6859-1-marcandre.lureau@redhat.com> Subject: Re: [Qemu-devel] [PATCH v3 0/3] seccomp fixes List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: =?utf-8?Q?Marc-Andr=C3=A9?= Lureau Cc: qemu-devel@nongnu.org, pmoore@redhat.com --I/5syFLg1Ed7r+1G Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 22/08/2018 - 16:29:53, Marc-Andr=C3=A9 Lureau wrote: > Hi, >=20 > This series fixes 2 issues with -sandbox: >=20 > - The seccomp action SCMP_ACT_KILL results in immediate termination of > the thread that made the bad system call. However, qemu being > multi-threaded, it keeps running. There is no easy way for parent > process / management layer (libvirt) to know about that situation. >=20 > Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP > will terminate the program and core dump. >=20 > This may not be the most secure solution, but probably better than > just killing the offending thread. SCMP_ACT_KILL_PROCESS has been > added in Linux 4.14 to improve the situation, which I propose to use > by default if available. >=20 > Related to: > https://bugzilla.redhat.com/show_bug.cgi?id=3D1594456 >=20 > - The seccomp filter isn't applied to all threads. We can solve the > issue by using SECCOMP_FILTER_FLAG_TSYNC since libseccomp 2.2.0 and > kernel >=3D 3.17. The issue remains on older kernels or older > libseccomp. I chose to report an error by default, but we may want > it to fail instead. >=20 > v3: > - modify qemu_seccomp() to set errno=3DENOSYS > - add patch "seccomp: set the seccomp filter to all threads" >=20 > v2: > - fix clang unused inline warning > - add acked-by/r-b tags >=20 > Marc-Andr=C3=A9 Lureau (3): > seccomp: use SIGSYS signal instead of killing the thread > seccomp: prefer SCMP_ACT_KILL_PROCESS if available > seccomp: set the seccomp filter to all threads >=20 > qemu-seccomp.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++-- > qemu-options.hx | 2 ++ > 2 files changed, 95 insertions(+), 3 deletions(-) >=20 > --=20 > 2.18.0.547.g1d89318c48 >=20 Acked-by: Eduardo Otubo --I/5syFLg1Ed7r+1G Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJbfYGeAAoJEN8y58Dw//mirXQH/3BchjoHlqoP7L/vHqmlXMcL jL706lBfZe9GLo51ACHx7Zx/kiZhfa6FRMEXpPf4+z7sUiG+9iliT6LSzrNpmSAe 5GGA6glDsEUboLRpLYxxs2tkHqnMKEQmf6FWk7YpjSZ7zeX/6/IMPSIBw947SWIJ VIs4jXcFqOaVUbO42Za1RROFuS2xLHlFWeZ8JMfS9Wt61W7LjHqqsVU46wRYsHCs kCee6kT7eVs3PHCscT2s43ymeoi4c0ACIs9FGyAyxpuEopGZcpC6Z52ISmJeQQfN uL/tbeOaYdr4EBoEJSL02YdD15YNzMBHy/cb5cmINSh+Wtr8/UxSgoJX0CI4ovA= =Pcob -----END PGP SIGNATURE----- --I/5syFLg1Ed7r+1G--