From: Eduardo Otubo <otubo@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>,
qemu-devel@nongnu.org,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [PATCH] seccomp: don't block getters for resource control syscalls
Date: Thu, 1 Jul 2021 09:15:01 +0200 [thread overview]
Message-ID: <20210701071501.GA60305@genji> (raw)
In-Reply-To: <20210630160526.977225-1-berrange@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2152 bytes --]
On 30/06/2021 - 17:05:26, Daniel P. Berrange wrote:
> Recent GLibC calls sched_getaffinity in code paths related to malloc and
> when QEMU blocks access, it sends it off into a bad codepath resulting
> in stack exhaustion[1]. The GLibC bug is being fixed[2], but none the
> less, GLibC has valid reasons to want to use sched_getaffinity.
>
> It is not unreasonable for code to want to run many resource syscalls
> for information gathering, so it is a bit too harsh for QEMU to block
> them.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1975693
> [2] https://sourceware.org/pipermail/libc-alpha/2021-June/128271.html
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> softmmu/qemu-seccomp.c | 6 ------
> 1 file changed, 6 deletions(-)
>
> diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
> index 9c29d9cf00..f50026778c 100644
> --- a/softmmu/qemu-seccomp.c
> +++ b/softmmu/qemu-seccomp.c
> @@ -97,17 +97,11 @@ static const struct QemuSeccompSyscall denylist[] = {
> { SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN },
> { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN },
> /* resource control */
> - { SCMP_SYS(getpriority), QEMU_SECCOMP_SET_RESOURCECTL },
> { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL },
> { SCMP_SYS(sched_setparam), QEMU_SECCOMP_SET_RESOURCECTL },
> - { SCMP_SYS(sched_getparam), QEMU_SECCOMP_SET_RESOURCECTL },
> { SCMP_SYS(sched_setscheduler), QEMU_SECCOMP_SET_RESOURCECTL,
> ARRAY_SIZE(sched_setscheduler_arg), sched_setscheduler_arg },
> - { SCMP_SYS(sched_getscheduler), QEMU_SECCOMP_SET_RESOURCECTL },
> { SCMP_SYS(sched_setaffinity), QEMU_SECCOMP_SET_RESOURCECTL },
> - { SCMP_SYS(sched_getaffinity), QEMU_SECCOMP_SET_RESOURCECTL },
> - { SCMP_SYS(sched_get_priority_max), QEMU_SECCOMP_SET_RESOURCECTL },
> - { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },
> };
>
> static inline __attribute__((unused)) int
> --
> 2.31.1
>
Acked-by: Eduardo Otubo <otubo@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2021-07-01 7:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-30 16:05 [PATCH] seccomp: don't block getters for resource control syscalls Daniel P. Berrangé
2021-06-30 17:13 ` Dr. David Alan Gilbert
2021-07-01 7:15 ` Eduardo Otubo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210701071501.GA60305@genji \
--to=otubo@redhat.com \
--cc=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=fweimer@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.