From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Eduardo Otubo" <otubo@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
qemu-block@nongnu.org, "Kashyap Chamarthy" <kchamart@redhat.com>,
"Richard W.M. Jones" <rjones@redhat.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Hanna Reitz" <hreitz@redhat.com>
Subject: [PULL 07/10] seccomp: block use of clone3 syscall
Date: Thu, 17 Feb 2022 11:57:20 +0000 [thread overview]
Message-ID: <20220217115723.1782616-8-berrange@redhat.com> (raw)
In-Reply-To: <20220217115723.1782616-1-berrange@redhat.com>
Modern glibc will use clone3 instead of clone, when it detects that it
is available. We need to compare flags in order to decide whether to
allow clone (thread create vs process fork), but in clone3 the flags
are hidden inside a struct. Seccomp can't currently match on data inside
a struct, so our only option is to block clone3 entirely. If we use
ENOSYS to block it, then glibc transparently falls back to clone.
This may need to be revisited if Linux adds a new architecture in
future and only provides clone3, without clone.
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
softmmu/qemu-seccomp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index 57139cc9ce..a7bb5c350f 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -244,6 +244,10 @@ static const struct QemuSeccompSyscall denylist[] = {
RULE_CLONE_FLAG(CLONE_NEWPID),
RULE_CLONE_FLAG(CLONE_NEWNET),
RULE_CLONE_FLAG(CLONE_IO),
+#ifdef __SNR_clone3
+ { SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN,
+ 0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
+#endif
/* resource control */
{ SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL,
0, NULL, SCMP_ACT_ERRNO(EPERM) },
--
2.34.1
next prev parent reply other threads:[~2022-02-17 12:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-17 11:57 [PULL 00/10] Misc next patches Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 01/10] block: better document SSH host key fingerprint checking Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 02/10] block: support sha256 fingerprint with pre-blockdev options Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 03/10] block: print the server key type and fingerprint on failure Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 04/10] seccomp: allow action to be customized per syscall Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 05/10] seccomp: add unit test for seccomp filtering Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 06/10] seccomp: fix blocking of process spawning Daniel P. Berrangé
2022-02-17 11:57 ` Daniel P. Berrangé [this message]
2022-02-17 11:57 ` [PULL 08/10] seccomp: block setns, unshare and execveat syscalls Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 09/10] MAINTAINERS: take over seccomp from Eduardo Otubo Daniel P. Berrangé
2022-02-17 11:57 ` [PULL 10/10] docs: expand firmware descriptor to allow flash without NVRAM Daniel P. Berrangé
2022-02-18 20:05 ` [PULL 00/10] Misc next patches Peter Maydell
2022-02-21 19:17 ` Daniel P. Berrangé
2022-02-24 12:48 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220217115723.1782616-8-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=f4bug@amsat.org \
--cc=hreitz@redhat.com \
--cc=kchamart@redhat.com \
--cc=kwolf@redhat.com \
--cc=otubo@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).