From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48690) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zgwjz-0003hf-Jk for qemu-devel@nongnu.org; Tue, 29 Sep 2015 11:22:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zgwjw-00069J-8c for qemu-devel@nongnu.org; Tue, 29 Sep 2015 11:22:51 -0400 Received: from mail-wi0-f169.google.com ([209.85.212.169]:34282) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zgwjw-000693-0L for qemu-devel@nongnu.org; Tue, 29 Sep 2015 11:22:48 -0400 Received: by wicfx3 with SMTP id fx3so155957264wic.1 for ; Tue, 29 Sep 2015 08:22:47 -0700 (PDT) Date: Tue, 29 Sep 2015 17:22:44 +0200 From: Eduardo Otubo Message-ID: <20150929152244.GA10053@vader> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline In-Reply-To: Subject: Re: [Qemu-devel] [PATCH v3] Add argument filters to the seccomp sandbox List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Namsun Ch'o Cc: pmoore@redhat.com, qemu-devel@nongnu.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 25, 2015 at 12=3D50=3D36AM -0400, Namsun Ch'o wrote: > Here's the v3 patch. I applied it and compiled QEMU, and it worked fine. >=20 > Changes so far: > v1 > - Created argument filters for the madvise, shmget, and shmctl syscalls. > v1 -> v2 > - Added 5 new madvise flags which were present in the source code but no= t in > the strace which I generated. > - Added IP_CREAT|0600 to shmget, which Daniel Berrange pointed out was > present in GTK2, which QEMU uses but does not call directly. > v2 -> v3 > - Replaced include asm/mman-common.h with sys/mman.h which is more prope= r. > - Fixed a stupid typo where I had IP_CREAT instead of IPC_CREAT. > - Removed the comma on the last entry of the madvise_flags array. > - Removed one madvise flag (MADV_INVALID) which doesn't exist, apparentl= y. >=20 > Signed-off-by: Namsun Ch'o > --- > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index f9de0d3..a353ef9 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -14,6 +14,8 @@ > */ > #include > #include > +#include > +#include > #include "sysemu/seccomp.h" > =20 > struct QemuSeccompSyscall { > @@ -105,7 +107,6 @@ static const struct QemuSeccompSyscall seccomp_whitel= ist[] =3D { > { SCMP_SYS(rt_sigreturn), 245 }, > { SCMP_SYS(sync), 245 }, > { SCMP_SYS(pread64), 245 }, > - { SCMP_SYS(madvise), 245 }, > { SCMP_SYS(set_robust_list), 245 }, > { SCMP_SYS(lseek), 245 }, > { SCMP_SYS(pselect6), 245 }, > @@ -224,11 +225,9 @@ static const struct QemuSeccompSyscall seccomp_white= list[] =3D { > { SCMP_SYS(arch_prctl), 240 }, > { SCMP_SYS(mkdir), 240 }, > { SCMP_SYS(fchmod), 240 }, > - { SCMP_SYS(shmget), 240 }, > { SCMP_SYS(shmat), 240 }, > { SCMP_SYS(shmdt), 240 }, > { SCMP_SYS(timerfd_create), 240 }, > - { SCMP_SYS(shmctl), 240 }, > { SCMP_SYS(mlockall), 240 }, > { SCMP_SYS(mlock), 240 }, > { SCMP_SYS(munlock), 240 }, > @@ -264,6 +263,59 @@ int seccomp_start(void) > } > } > =20 > + /* madvise */ > + static const int madvise_flags[] =3D { > + MADV_DODUMP, > + MADV_DONTDUMP, > + MADV_UNMERGEABLE, > + MADV_WILLNEED, > + MADV_DONTFORK, > + MADV_DONTNEED, > + MADV_HUGEPAGE, > + MADV_MERGEABLE > + }; > + for (i =3D 0; i < ARRAY_SIZE(madvise_flags); i++) { > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), = 1, > + SCMP_A2(SCMP_CMP_EQ, madvise_flags[i])); > + if (rc < 0) { > + goto seccomp_return; > + } > + } > + rc =3D seccomp_syscall_priority(ctx, SCMP_SYS(madvise), 245); > + if (rc < 0) { > + goto seccomp_return; > + } > + > + /* shmget */ > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 2, > + SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE), > + SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0777)); > + if (rc < 0) { > + goto seccomp_return; > + } > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 2, > + SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE), > + SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0600)); > + if (rc < 0) { > + goto seccomp_return; > + } > + rc =3D seccomp_syscall_priority(ctx, SCMP_SYS(shmget), 240); > + if (rc < 0) { > + goto seccomp_return; > + } > + > + /* shmctl */ > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2, > + SCMP_A1(SCMP_CMP_EQ, IPC_RMID), > + SCMP_A2(SCMP_CMP_EQ, 0)); > + if (rc < 0) { > + goto seccomp_return; > + } > + rc =3D seccomp_syscall_priority(ctx, SCMP_SYS(shmctl), 240); > + if (rc < 0) { > + goto seccomp_return; > + } > + > rc =3D seccomp_load(ctx); > =20 > seccomp_return: This looks good now. Thanks for your contribution. Acked-by: Eduardo Otubo ps.: I'll create a pull request with all changes made so far on Friday. --=20 Eduardo Otubo ProfitBricks GmbH --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWCqzEAAoJEP0M/1sS+L0vxCwH/0jG/sjSMZZpHQpYpsjsJCWY ySa3b42lkMSOrF+qm2XTFD7GLutk3LiWz10/ETxFYn9PH8NecqYTukpIr1zhqClW VDf8NkZdMtiI/V4L8+6Bxf47R4GWhhEDF27xc9WQ8PLtbsLeDxY+e4oomZK4X+yI +o+b8df6xBW+uTwNMbxDtoyNQhm0tKE+QmEeoYvsnTwz2lCV1hgoMfSj3MnDlPBZ vtxgfx1oHnLolK7XY4Ncr2mmt9Yk4gjQwMAGexkBBGzhtNFj+RnKxV6aHjeTyrxf tXxjjRkDiuXXfGqGPAe6OoRXy6r8xOUAqDftQfR4PEpaqGgzSm+/EiXReNwhFKc= =KWY9 -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c--