From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36997) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zi16k-0007dq-UT for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:14:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zi16f-0007x9-UA for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:14:46 -0400 Received: from mail-wi0-f172.google.com ([209.85.212.172]:33283) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zi16f-0007w0-Lf for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:14:41 -0400 Received: by wiclk2 with SMTP id lk2so35921981wic.0 for ; Fri, 02 Oct 2015 07:14:40 -0700 (PDT) Date: Fri, 2 Oct 2015 16:14:38 +0200 From: Eduardo Otubo Message-ID: <20151002141438.GC25464@vader> References: <20150929152244.GA10053@vader> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nmemrqcdn5VTmUEE" Content-Disposition: inline In-Reply-To: <20150929152244.GA10053@vader> Subject: Re: [Qemu-devel] [PATCH v3] Add argument filters to the seccomp sandbox List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Namsun Ch'o , berrange@redhat.com, qemu-devel@nongnu.org, pmoore@redhat.com --nmemrqcdn5VTmUEE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 29, 2015 at 05=3D22=3D44PM +0200, Eduardo Otubo wrote: > On Fri, Sep 25, 2015 at 12=3D50=3D36AM -0400, Namsun Ch'o wrote: > > Here's the v3 patch. I applied it and compiled QEMU, and it worked fine. > >=20 > > Changes so far: > > v1 > > - Created argument filters for the madvise, shmget, and shmctl syscall= s. > > v1 -> v2 > > - Added 5 new madvise flags which were present in the source code but = not in > > the strace which I generated. > > - Added IP_CREAT|0600 to shmget, which Daniel Berrange pointed out was > > present in GTK2, which QEMU uses but does not call directly. > > v2 -> v3 > > - Replaced include asm/mman-common.h with sys/mman.h which is more pro= per. > > - Fixed a stupid typo where I had IP_CREAT instead of IPC_CREAT. > > - Removed the comma on the last entry of the madvise_flags array. > > - Removed one madvise flag (MADV_INVALID) which doesn't exist, apparen= tly. > >=20 > > Signed-off-by: Namsun Ch'o > > --- > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > > index f9de0d3..a353ef9 100644 > > --- a/qemu-seccomp.c > > +++ b/qemu-seccomp.c > > @@ -14,6 +14,8 @@ > > */ > > #include > > #include > > +#include > > +#include > > #include "sysemu/seccomp.h" > > =20 > > struct QemuSeccompSyscall { > > @@ -105,7 +107,6 @@ static const struct QemuSeccompSyscall seccomp_whit= elist[] =3D { > > { SCMP_SYS(rt_sigreturn), 245 }, > > { SCMP_SYS(sync), 245 }, > > { SCMP_SYS(pread64), 245 }, > > - { SCMP_SYS(madvise), 245 }, > > { SCMP_SYS(set_robust_list), 245 }, > > { SCMP_SYS(lseek), 245 }, > > { SCMP_SYS(pselect6), 245 }, > > @@ -224,11 +225,9 @@ static const struct QemuSeccompSyscall seccomp_whi= telist[] =3D { > > { SCMP_SYS(arch_prctl), 240 }, > > { SCMP_SYS(mkdir), 240 }, > > { SCMP_SYS(fchmod), 240 }, > > - { SCMP_SYS(shmget), 240 }, > > { SCMP_SYS(shmat), 240 }, > > { SCMP_SYS(shmdt), 240 }, > > { SCMP_SYS(timerfd_create), 240 }, > > - { SCMP_SYS(shmctl), 240 }, > > { SCMP_SYS(mlockall), 240 }, > > { SCMP_SYS(mlock), 240 }, > > { SCMP_SYS(munlock), 240 }, > > @@ -264,6 +263,59 @@ int seccomp_start(void) > > } > > } > > =20 > > + /* madvise */ > > + static const int madvise_flags[] =3D { > > + MADV_DODUMP, > > + MADV_DONTDUMP, > > + MADV_UNMERGEABLE, > > + MADV_WILLNEED, > > + MADV_DONTFORK, > > + MADV_DONTNEED, > > + MADV_HUGEPAGE, > > + MADV_MERGEABLE > > + }; > > + for (i =3D 0; i < ARRAY_SIZE(madvise_flags); i++) { > > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise)= , 1, > > + SCMP_A2(SCMP_CMP_EQ, madvise_flags[i])); > > + if (rc < 0) { > > + goto seccomp_return; > > + } > > + } > > + rc =3D seccomp_syscall_priority(ctx, SCMP_SYS(madvise), 245); > > + if (rc < 0) { > > + goto seccomp_return; > > + } > > + > > + /* shmget */ > > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 2, > > + SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE), > > + SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0777)); > > + if (rc < 0) { > > + goto seccomp_return; > > + } > > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 2, > > + SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE), > > + SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0600)); > > + if (rc < 0) { > > + goto seccomp_return; > > + } > > + rc =3D seccomp_syscall_priority(ctx, SCMP_SYS(shmget), 240); > > + if (rc < 0) { > > + goto seccomp_return; > > + } > > + > > + /* shmctl */ > > + rc =3D seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2, > > + SCMP_A1(SCMP_CMP_EQ, IPC_RMID), > > + SCMP_A2(SCMP_CMP_EQ, 0)); > > + if (rc < 0) { > > + goto seccomp_return; > > + } > > + rc =3D seccomp_syscall_priority(ctx, SCMP_SYS(shmctl), 240); > > + if (rc < 0) { > > + goto seccomp_return; > > + } > > + > > rc =3D seccomp_load(ctx); > > =20 > > seccomp_return: >=20 > This looks good now. > Thanks for your contribution. >=20 > Acked-by: Eduardo Otubo >=20 > ps.: I'll create a pull request with all changes made so far on Friday. >=20 The pull request will be delayed a little bit due to some new patches incoming. Let's just set an agreement on how to approach regarding the "-runas and -chroot" patch and will prepare just a single batch for pull reuqest to Peter. Regards, --=20 Eduardo Otubo ProfitBricks GmbH --nmemrqcdn5VTmUEE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWDpFOAAoJEP0M/1sS+L0vqhYIAKlnrNNdx4NmbLr4YN95znLq 6ErFMoMi3Tekjh+F1GtvrfiP68ZJGx2+CVEPPDZcd2OzqXtM+InZ6RBkpftftK3r 0i6AFJBb3QaS/vUQ6pXNgkDY84r1F8LO5mL+w3jO5XLHjoGeGIfGHyzaeLfrhdF4 53kz/EWOAntx2+x1YfLMJKxwzN2FvKWNzDSqbRLtCVwP8opbcpGqLdrGlNEcN39u g0h/5lE+dRFYt+w6+luOakD5K9MlIWiPksqOzACa+h0oPvfXxG2TlCQaLNKRmOaR KIndMBAckbM5Q5ysanK8SxnYFj2jEdVAqA6hBgam2//K1DshEoh1fdkSpCJMMmQ= =WdYY -----END PGP SIGNATURE----- --nmemrqcdn5VTmUEE--