From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4A345C433EF for ; Thu, 17 Feb 2022 12:14:38 +0000 (UTC) Received: from localhost ([::1]:41978 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nKfgB-0002mT-0g for qemu-devel@archiver.kernel.org; Thu, 17 Feb 2022 07:14:35 -0500 Received: from eggs.gnu.org ([209.51.188.92]:39380) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nKfQ5-0003We-2o for qemu-devel@nongnu.org; Thu, 17 Feb 2022 06:58:01 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:59875) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nKfQ3-00014O-Jj for qemu-devel@nongnu.org; Thu, 17 Feb 2022 06:57:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645099074; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q5xzULTw/BnZuyWDZekuY5rxxT1b6x68WwqvWTCUq1Y=; b=ccjEsarihqABC8DruOw1o4foE6cAnHml6XqlwX+uexeZlwM6EiRtjlCW/oTV7PNuzn9Adi 7XdsPL/0+Ph0nHWqR39NDnyBaPQt7/Meg/Eym4+pRM7fHmJXvGuHb8Lly79kibETb7hamC TwlOxc7zKJqIuCfgb0MGYeZTWjyEMMQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-380-zZZy6drJOViJN77M7Nrx5A-1; Thu, 17 Feb 2022 06:57:51 -0500 X-MC-Unique: zZZy6drJOViJN77M7Nrx5A-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D0CB81091DA0; Thu, 17 Feb 2022 11:57:50 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.132]) by smtp.corp.redhat.com (Postfix) with ESMTP id EF8E3108648D; Thu, 17 Feb 2022 11:57:48 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PULL 07/10] seccomp: block use of clone3 syscall Date: Thu, 17 Feb 2022 11:57:20 +0000 Message-Id: <20220217115723.1782616-8-berrange@redhat.com> In-Reply-To: <20220217115723.1782616-1-berrange@redhat.com> References: <20220217115723.1782616-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.083, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Eduardo Otubo , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Kashyap Chamarthy , "Richard W.M. Jones" , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Hanna Reitz Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Modern glibc will use clone3 instead of clone, when it detects that it is available. We need to compare flags in order to decide whether to allow clone (thread create vs process fork), but in clone3 the flags are hidden inside a struct. Seccomp can't currently match on data inside a struct, so our only option is to block clone3 entirely. If we use ENOSYS to block it, then glibc transparently falls back to clone. This may need to be revisited if Linux adds a new architecture in future and only provides clone3, without clone. Acked-by: Eduardo Otubo Signed-off-by: Daniel P. Berrangé --- softmmu/qemu-seccomp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c index 57139cc9ce..a7bb5c350f 100644 --- a/softmmu/qemu-seccomp.c +++ b/softmmu/qemu-seccomp.c @@ -244,6 +244,10 @@ static const struct QemuSeccompSyscall denylist[] = { RULE_CLONE_FLAG(CLONE_NEWPID), RULE_CLONE_FLAG(CLONE_NEWNET), RULE_CLONE_FLAG(CLONE_IO), +#ifdef __SNR_clone3 + { SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN, + 0, NULL, SCMP_ACT_ERRNO(ENOSYS) }, +#endif /* resource control */ { SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL, 0, NULL, SCMP_ACT_ERRNO(EPERM) }, -- 2.34.1