[Qemu-devel] [PULL 00/01] seccomp branch queue

[Qemu-devel] [PULL 00/01] seccomp branch queue

[Eduardo Otubo]

The following changes since commit 14fc618461c2756a3f0b16bf6af198c5d7731137:

  Merge remote-tracking branch 'remotes/sstabellini-http/tags/xen-20180531-tag' into staging (2018-06-01 10:16:49 +0100)

are available in the Git repository at:

  https://github.com/otubo/qemu.git tags/pull-seccomp-20180601

for you to fetch changes up to 4e488581de463218be39cff97530294534c9e85b

  seccomp: disable -sandbox if CONFIG_SECCOMP undefined (2018-06-01 13:44:15 +0200)

----------------------------------------------------------------
pull-seccomp-20180601

----------------------------------------------------------------
Yi Min Zhao (1):
      seccomp: disable -sandbox if CONFIG_SECCOMP undefined

 include/sysemu/seccomp.h |   3 +-
 qemu-seccomp.c           | 121 ++++++++++++++++++++++++++++++++++++++++++++-
 vl.c                     | 124 +++--------------------------------------------
 3 files changed, 130 insertions(+), 118 deletions(-)

-- 
2.17.0

[Qemu-devel] [PULL 01/01] seccomp: disable -sandbox if CONFIG_SECCOMP undefined

[Eduardo Otubo]

From: Yi Min Zhao <zyimin@linux.ibm.com>

If CONFIG_SECCOMP is undefined, the option 'elevatedprivileges' remains
compiled. This would make libvirt set the corresponding capability and
then trigger failure during guest startup. This patch moves the code
regarding seccomp command line options to qemu-seccomp.c file and
wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP.
Because parse_sandbox() is moved into qemu-seccomp.c file, change
seccomp_start() to static function.

Signed-off-by: Yi Min Zhao <zyimin@linux.ibm.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Tested-by: Ján Tomko <jtomko@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
---
 include/sysemu/seccomp.h |   3 +-
 qemu-seccomp.c           | 121 +++++++++++++++++++++++++++++++++++++-
 vl.c                     | 124 +++------------------------------------
 3 files changed, 130 insertions(+), 118 deletions(-)

diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
index 9b092aa23f..fe859894f6 100644
--- a/include/sysemu/seccomp.h
+++ b/include/sysemu/seccomp.h
@@ -21,5 +21,6 @@
 #define QEMU_SECCOMP_SET_SPAWN       (1 << 3)
 #define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4)
 
-int seccomp_start(uint32_t seccomp_opts);
+int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp);
+
 #endif
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index b770a77d33..148e4c6f24 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -13,6 +13,11 @@
  * GNU GPL, version 2 or (at your option) any later version.
  */
 #include "qemu/osdep.h"
+#include "qemu/config-file.h"
+#include "qemu/option.h"
+#include "qemu/module.h"
+#include "qemu/error-report.h"
+#include <sys/prctl.h>
 #include <seccomp.h>
 #include "sysemu/seccomp.h"
 
@@ -96,7 +101,7 @@ static const struct QemuSeccompSyscall blacklist[] = {
 };
 
 
-int seccomp_start(uint32_t seccomp_opts)
+static int seccomp_start(uint32_t seccomp_opts)
 {
     int rc = 0;
     unsigned int i = 0;
@@ -125,3 +130,117 @@ int seccomp_start(uint32_t seccomp_opts)
     seccomp_release(ctx);
     return rc;
 }
+
+#ifdef CONFIG_SECCOMP
+int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
+{
+    if (qemu_opt_get_bool(opts, "enable", false)) {
+        uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT
+                | QEMU_SECCOMP_SET_OBSOLETE;
+        const char *value = NULL;
+
+        value = qemu_opt_get(opts, "obsolete");
+        if (value) {
+            if (g_str_equal(value, "allow")) {
+                seccomp_opts &= ~QEMU_SECCOMP_SET_OBSOLETE;
+            } else if (g_str_equal(value, "deny")) {
+                /* this is the default option, this if is here
+                 * to provide a little bit of consistency for
+                 * the command line */
+            } else {
+                error_report("invalid argument for obsolete");
+                return -1;
+            }
+        }
+
+        value = qemu_opt_get(opts, "elevateprivileges");
+        if (value) {
+            if (g_str_equal(value, "deny")) {
+                seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
+            } else if (g_str_equal(value, "children")) {
+                seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
+
+                /* calling prctl directly because we're
+                 * not sure if host has CAP_SYS_ADMIN set*/
+                if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {
+                    error_report("failed to set no_new_privs "
+                                 "aborting");
+                    return -1;
+                }
+            } else if (g_str_equal(value, "allow")) {
+                /* default value */
+            } else {
+                error_report("invalid argument for elevateprivileges");
+                return -1;
+            }
+        }
+
+        value = qemu_opt_get(opts, "spawn");
+        if (value) {
+            if (g_str_equal(value, "deny")) {
+                seccomp_opts |= QEMU_SECCOMP_SET_SPAWN;
+            } else if (g_str_equal(value, "allow")) {
+                /* default value */
+            } else {
+                error_report("invalid argument for spawn");
+                return -1;
+            }
+        }
+
+        value = qemu_opt_get(opts, "resourcecontrol");
+        if (value) {
+            if (g_str_equal(value, "deny")) {
+                seccomp_opts |= QEMU_SECCOMP_SET_RESOURCECTL;
+            } else if (g_str_equal(value, "allow")) {
+                /* default value */
+            } else {
+                error_report("invalid argument for resourcecontrol");
+                return -1;
+            }
+        }
+
+        if (seccomp_start(seccomp_opts) < 0) {
+            error_report("failed to install seccomp syscall filter "
+                         "in the kernel");
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+static QemuOptsList qemu_sandbox_opts = {
+    .name = "sandbox",
+    .implied_opt_name = "enable",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_sandbox_opts.head),
+    .desc = {
+        {
+            .name = "enable",
+            .type = QEMU_OPT_BOOL,
+        },
+        {
+            .name = "obsolete",
+            .type = QEMU_OPT_STRING,
+        },
+        {
+            .name = "elevateprivileges",
+            .type = QEMU_OPT_STRING,
+        },
+        {
+            .name = "spawn",
+            .type = QEMU_OPT_STRING,
+        },
+        {
+            .name = "resourcecontrol",
+            .type = QEMU_OPT_STRING,
+        },
+        { /* end of list */ }
+    },
+};
+
+static void seccomp_register(void)
+{
+    qemu_add_opts(&qemu_sandbox_opts);
+}
+opts_init(seccomp_register);
+#endif
diff --git a/vl.c b/vl.c
index c4fe25560c..70f090c823 100644
--- a/vl.c
+++ b/vl.c
@@ -28,11 +28,7 @@
 #include "qemu/cutils.h"
 #include "qemu/help_option.h"
 #include "qemu/uuid.h"
-
-#ifdef CONFIG_SECCOMP
-#include <sys/prctl.h>
 #include "sysemu/seccomp.h"
-#endif
 
 #ifdef CONFIG_SDL
 #if defined(__APPLE__) || defined(main)
@@ -259,35 +255,6 @@ static QemuOptsList qemu_rtc_opts = {
     },
 };
 
-static QemuOptsList qemu_sandbox_opts = {
-    .name = "sandbox",
-    .implied_opt_name = "enable",
-    .head = QTAILQ_HEAD_INITIALIZER(qemu_sandbox_opts.head),
-    .desc = {
-        {
-            .name = "enable",
-            .type = QEMU_OPT_BOOL,
-        },
-        {
-            .name = "obsolete",
-            .type = QEMU_OPT_STRING,
-        },
-        {
-            .name = "elevateprivileges",
-            .type = QEMU_OPT_STRING,
-        },
-        {
-            .name = "spawn",
-            .type = QEMU_OPT_STRING,
-        },
-        {
-            .name = "resourcecontrol",
-            .type = QEMU_OPT_STRING,
-        },
-        { /* end of list */ }
-    },
-};
-
 static QemuOptsList qemu_option_rom_opts = {
     .name = "option-rom",
     .implied_opt_name = "romfile",
@@ -1050,88 +1017,6 @@ static int bt_parse(const char *opt)
     return 1;
 }
 
-static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
-{
-    if (qemu_opt_get_bool(opts, "enable", false)) {
-#ifdef CONFIG_SECCOMP
-        uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT
-                | QEMU_SECCOMP_SET_OBSOLETE;
-        const char *value = NULL;
-
-        value = qemu_opt_get(opts, "obsolete");
-        if (value) {
-            if (g_str_equal(value, "allow")) {
-                seccomp_opts &= ~QEMU_SECCOMP_SET_OBSOLETE;
-            } else if (g_str_equal(value, "deny")) {
-                /* this is the default option, this if is here
-                 * to provide a little bit of consistency for
-                 * the command line */
-            } else {
-                error_report("invalid argument for obsolete");
-                return -1;
-            }
-        }
-
-        value = qemu_opt_get(opts, "elevateprivileges");
-        if (value) {
-            if (g_str_equal(value, "deny")) {
-                seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
-            } else if (g_str_equal(value, "children")) {
-                seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
-
-                /* calling prctl directly because we're
-                 * not sure if host has CAP_SYS_ADMIN set*/
-                if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {
-                    error_report("failed to set no_new_privs "
-                                 "aborting");
-                    return -1;
-                }
-            } else if (g_str_equal(value, "allow")) {
-                /* default value */
-            } else {
-                error_report("invalid argument for elevateprivileges");
-                return -1;
-            }
-        }
-
-        value = qemu_opt_get(opts, "spawn");
-        if (value) {
-            if (g_str_equal(value, "deny")) {
-                seccomp_opts |= QEMU_SECCOMP_SET_SPAWN;
-            } else if (g_str_equal(value, "allow")) {
-                /* default value */
-            } else {
-                error_report("invalid argument for spawn");
-                return -1;
-            }
-        }
-
-        value = qemu_opt_get(opts, "resourcecontrol");
-        if (value) {
-            if (g_str_equal(value, "deny")) {
-                seccomp_opts |= QEMU_SECCOMP_SET_RESOURCECTL;
-            } else if (g_str_equal(value, "allow")) {
-                /* default value */
-            } else {
-                error_report("invalid argument for resourcecontrol");
-                return -1;
-            }
-        }
-
-        if (seccomp_start(seccomp_opts) < 0) {
-            error_report("failed to install seccomp syscall filter "
-                         "in the kernel");
-            return -1;
-        }
-#else
-        error_report("seccomp support is disabled");
-        return -1;
-#endif
-    }
-
-    return 0;
-}
-
 static int parse_name(void *opaque, QemuOpts *opts, Error **errp)
 {
     const char *proc_name;
@@ -3079,7 +2964,6 @@ int main(int argc, char **argv, char **envp)
     qemu_add_opts(&qemu_mem_opts);
     qemu_add_opts(&qemu_smp_opts);
     qemu_add_opts(&qemu_boot_opts);
-    qemu_add_opts(&qemu_sandbox_opts);
     qemu_add_opts(&qemu_add_fd_opts);
     qemu_add_opts(&qemu_object_opts);
     qemu_add_opts(&qemu_tpmdev_opts);
@@ -3980,11 +3864,17 @@ int main(int argc, char **argv, char **envp)
                 qtest_log = optarg;
                 break;
             case QEMU_OPTION_sandbox:
+#ifdef CONFIG_SECCOMP
                 opts = qemu_opts_parse_noisily(qemu_find_opts("sandbox"),
                                                optarg, true);
                 if (!opts) {
                     exit(1);
                 }
+#else
+                error_report("-sandbox support is not enabled "
+                             "in this QEMU binary");
+                exit(1);
+#endif
                 break;
             case QEMU_OPTION_add_fd:
 #ifndef _WIN32
@@ -4077,10 +3967,12 @@ int main(int argc, char **argv, char **envp)
         exit(1);
     }
 
+#ifdef CONFIG_SECCOMP
     if (qemu_opts_foreach(qemu_find_opts("sandbox"),
                           parse_sandbox, NULL, NULL)) {
         exit(1);
     }
+#endif
 
     if (qemu_opts_foreach(qemu_find_opts("name"),
                           parse_name, NULL, NULL)) {
-- 
2.17.0

Re: [Qemu-devel] [PULL 00/01] seccomp branch queue

[Peter Maydell]

On 1 June 2018 at 13:08, Eduardo Otubo <otubo@redhat.com> wrote:
> The following changes since commit 14fc618461c2756a3f0b16bf6af198c5d7731137:
>
>   Merge remote-tracking branch 'remotes/sstabellini-http/tags/xen-20180531-tag' into staging (2018-06-01 10:16:49 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/otubo/qemu.git tags/pull-seccomp-20180601
>
> for you to fetch changes up to 4e488581de463218be39cff97530294534c9e85b
>
>   seccomp: disable -sandbox if CONFIG_SECCOMP undefined (2018-06-01 13:44:15 +0200)
>
> ----------------------------------------------------------------
> pull-seccomp-20180601
>
> ----------------------------------------------------------------
> Yi Min Zhao (1):
>       seccomp: disable -sandbox if CONFIG_SECCOMP undefined
>
>  include/sysemu/seccomp.h |   3 +-
>  qemu-seccomp.c           | 121 ++++++++++++++++++++++++++++++++++++++++++++-
>  vl.c                     | 124 +++--------------------------------------------
>  3 files changed, 130 insertions(+), 118 deletions(-)
>

Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/01] seccomp branch queue

[Eduardo Otubo]

The following changes since commit 8dfaf23ae1f2273a9730a9b309cc8471269bb524:

  tcg/tci: fix tcg-interpreter build (2017-06-20 18:39:15 +0100)

are available in the git repository at:

  https://github.com/otubo/qemu.git tags/pull-seccomp-20170622

for you to fetch changes up to 064983cb0a18c5adc4ec791c00792f74ebf50ca4:

  MAINTAINERS: seccomp: change email contact for Eduardo Otubo (2017-06-22 09:58:00 +0200)

----------------------------------------------------------------
seccomp branch queue

----------------------------------------------------------------
Eduardo Otubo (1):
      MAINTAINERS: seccomp: change email contact for Eduardo Otubo

 MAINTAINERS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.9.4

Re: [Qemu-devel] [PULL 00/01] seccomp branch queue

[Peter Maydell]

On 22 June 2017 at 09:33, Eduardo Otubo <otubo@redhat.com> wrote:
> The following changes since commit 8dfaf23ae1f2273a9730a9b309cc8471269bb524:
>
>   tcg/tci: fix tcg-interpreter build (2017-06-20 18:39:15 +0100)
>
> are available in the git repository at:
>
>   https://github.com/otubo/qemu.git tags/pull-seccomp-20170622
>
> for you to fetch changes up to 064983cb0a18c5adc4ec791c00792f74ebf50ca4:
>
>   MAINTAINERS: seccomp: change email contact for Eduardo Otubo (2017-06-22 09:58:00 +0200)
>
> ----------------------------------------------------------------
> seccomp branch queue
>
> ----------------------------------------------------------------
> Eduardo Otubo (1):
>       MAINTAINERS: seccomp: change email contact for Eduardo Otubo

Hi Eduardo -- this pullreq isn't signed with the gpg key I have
on record for you, and the keyservers say the key it is signed
with hasn't been signed by anybody else...

thanks
-- PMM

Re: [Qemu-devel] [PULL 00/01] seccomp branch queue

[Peter Maydell]

On 22 June 2017 at 09:33, Eduardo Otubo <otubo@redhat.com> wrote:
> The following changes since commit 8dfaf23ae1f2273a9730a9b309cc8471269bb524:
>
>   tcg/tci: fix tcg-interpreter build (2017-06-20 18:39:15 +0100)
>
> are available in the git repository at:
>
>   https://github.com/otubo/qemu.git tags/pull-seccomp-20170622
>
> for you to fetch changes up to 064983cb0a18c5adc4ec791c00792f74ebf50ca4:
>
>   MAINTAINERS: seccomp: change email contact for Eduardo Otubo (2017-06-22 09:58:00 +0200)
>
> ----------------------------------------------------------------
> seccomp branch queue
>
> ----------------------------------------------------------------
> Eduardo Otubo (1):
>       MAINTAINERS: seccomp: change email contact for Eduardo Otubo
>
>  MAINTAINERS | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)


Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/01] seccomp branch queue

[Eduardo Otubo]

The following changes since commit a008535b9fa396226ff9cf78b8ac5f3584bda58e:

  build-sys: fix make install regression (2016-09-20 11:32:43 +0100)

are available in the git repository at:

  git://github.com/otubo/qemu.git tags/pull-seccomp-20160921

for you to fetch changes up to cf9dc9e4807464a9d0b3d7368b818323e14921eb:

  seccomp: adding getrusage to the whitelist (2016-09-21 11:26:02 +0200)

----------------------------------------------------------------
seccomp branch queue

----------------------------------------------------------------
Eduardo Otubo (1):
      seccomp: adding getrusage to the whitelist

 qemu-seccomp.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.7.4

Re: [Qemu-devel] [PULL 00/01] seccomp branch queue

[Peter Maydell]

On 21 September 2016 at 10:38, Eduardo Otubo
<eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit a008535b9fa396226ff9cf78b8ac5f3584bda58e:
>
>   build-sys: fix make install regression (2016-09-20 11:32:43 +0100)
>
> are available in the git repository at:
>
>   git://github.com/otubo/qemu.git tags/pull-seccomp-20160921
>
> for you to fetch changes up to cf9dc9e4807464a9d0b3d7368b818323e14921eb:
>
>   seccomp: adding getrusage to the whitelist (2016-09-21 11:26:02 +0200)
>
> ----------------------------------------------------------------
> seccomp branch queue
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/01] seccomp branch queue

[Eduardo Otubo]

The following changes since commit 482b61844ae7c6df39df0b48ac90ffbc87bed7d2:

  Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160617' into staging (2016-06-17 16:16:37 +0100)

are available in the git repository at:

  git://github.com/otubo/qemu.git tags/pull-seccomp-20160620

for you to fetch changes up to 3e684455032a748be261e5a2524147940af9b6d9:

  seccomp: Add support for ppc/ppc64 (2016-06-20 11:04:09 +0200)

----------------------------------------------------------------
seccomp branch queue

----------------------------------------------------------------
Michael Strosaker (1):
      seccomp: Add support for ppc/ppc64

 configure | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.1.4

Re: [Qemu-devel] [PULL 00/01] seccomp branch queue

[Peter Maydell]

On 20 June 2016 at 10:17, Eduardo Otubo <eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit 482b61844ae7c6df39df0b48ac90ffbc87bed7d2:
>
>   Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20160617' into staging (2016-06-17 16:16:37 +0100)
>
> are available in the git repository at:
>
>   git://github.com/otubo/qemu.git tags/pull-seccomp-20160620
>
> for you to fetch changes up to 3e684455032a748be261e5a2524147940af9b6d9:
>
>   seccomp: Add support for ppc/ppc64 (2016-06-20 11:04:09 +0200)
>
> ----------------------------------------------------------------
> seccomp branch queue
>
> ----------------------------------------------------------------
> Michael Strosaker (1):
>       seccomp: Add support for ppc/ppc64

Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/01] seccomp branch queue

[Eduardo Otubo]

The following changes since commit 8f970eff6e318524f189f105c236e47633759890:

  Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150122-1' into staging (2015-01-22 17:41:59 +0000)

are available in the git repository at:


  https://github.com/otubo/qemu.git tags/pull-seccomp-20150123

for you to fetch changes up to 4b45b055491a319292beefb8080a81d96cf55cf6:

  seccomp: add mlockall to whitelist (2015-01-23 14:07:08 +0100)

----------------------------------------------------------------
seccomp branch queue

----------------------------------------------------------------
Paolo Bonzini (1):
      seccomp: add mlockall to whitelist

 qemu-seccomp.c | 1 +
 1 file changed, 1 insertion(+)

-- 
1.9.1

Re: [Qemu-devel] [PULL 00/01] seccomp branch queue

[Peter Maydell]

On 23 January 2015 at 13:21, Eduardo Otubo
<eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit 8f970eff6e318524f189f105c236e47633759890:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150122-1' into staging (2015-01-22 17:41:59 +0000)
>
> are available in the git repository at:
>
>
>   https://github.com/otubo/qemu.git tags/pull-seccomp-20150123
>
> for you to fetch changes up to 4b45b055491a319292beefb8080a81d96cf55cf6:
>
>   seccomp: add mlockall to whitelist (2015-01-23 14:07:08 +0100)
>
> ----------------------------------------------------------------
> seccomp branch queue
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM