[Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist
@ 2013-07-18 13:57 Paul Moore
  2013-07-23 13:57 ` Paul Moore
  2013-08-02 12:35 ` Anthony Liguori
  0 siblings, 2 replies; 5+ messages in thread
From: Paul Moore @ 2013-07-18 13:57 UTC (permalink / raw)
  To: qemu-devel, qemu-stable; +Cc: coreyb, otubo

It appears that even a very simple /etc/qemu-ifup configuration can
require the arch_prctl() syscall, see the example below:

	#!/bin/sh
	/sbin/ifconfig $1 0.0.0.0 up
	/usr/sbin/brctl addif <switch> $1

Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 qemu-seccomp.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 173d185..9e91c73 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -234,7 +234,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(waitid), 241 },
     { SCMP_SYS(io_cancel), 241 },
     { SCMP_SYS(io_setup), 241 },
-    { SCMP_SYS(io_destroy), 241 }
+    { SCMP_SYS(io_destroy), 241 },
+    { SCMP_SYS(arch_prctl), 240 }
 };
 
 int seccomp_start(void)

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist
  2013-07-18 13:57 [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist Paul Moore
@ 2013-07-23 13:57 ` Paul Moore
  2013-07-24 18:01   ` Eduardo Otubo
  2013-08-02 12:35 ` Anthony Liguori
  1 sibling, 1 reply; 5+ messages in thread
From: Paul Moore @ 2013-07-23 13:57 UTC (permalink / raw)
  To: qemu-devel, qemu-stable; +Cc: coreyb, otubo

On Thursday, July 18, 2013 09:57:03 AM Paul Moore wrote:
> It appears that even a very simple /etc/qemu-ifup configuration can
> require the arch_prctl() syscall, see the example below:
> 
> 	#!/bin/sh
> 	/sbin/ifconfig $1 0.0.0.0 up
> 	/usr/sbin/brctl addif <switch> $1
> 
> Signed-off-by: Paul Moore <pmoore@redhat.com>

As with the other fix, a gentle nudge so this isn't forgotten.

> ---
>  qemu-seccomp.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 173d185..9e91c73 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -234,7 +234,8 @@ static const struct QemuSeccompSyscall
> seccomp_whitelist[] = { { SCMP_SYS(waitid), 241 },
>      { SCMP_SYS(io_cancel), 241 },
>      { SCMP_SYS(io_setup), 241 },
> -    { SCMP_SYS(io_destroy), 241 }
> +    { SCMP_SYS(io_destroy), 241 },
> +    { SCMP_SYS(arch_prctl), 240 }
>  };
> 
>  int seccomp_start(void)
-- 
paul moore
security and virtualization @ redhat

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist
  2013-07-23 13:57 ` Paul Moore
@ 2013-07-24 18:01   ` Eduardo Otubo
  2013-07-29 22:12     ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: Eduardo Otubo @ 2013-07-24 18:01 UTC (permalink / raw)
  To: Paul Moore; +Cc: coreyb, qemu-devel, qemu-stable



On 07/23/2013 10:57 AM, Paul Moore wrote:
> On Thursday, July 18, 2013 09:57:03 AM Paul Moore wrote:
>> It appears that even a very simple /etc/qemu-ifup configuration can
>> require the arch_prctl() syscall, see the example below:
>>
>> 	#!/bin/sh
>> 	/sbin/ifconfig $1 0.0.0.0 up
>> 	/usr/sbin/brctl addif <switch> $1
>>
>> Signed-off-by: Paul Moore <pmoore@redhat.com>
>
> As with the other fix, a gentle nudge so this isn't forgotten.

Reviewed and tested.

Reviewed-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>

>
>> ---
>>   qemu-seccomp.c |    3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
>> index 173d185..9e91c73 100644
>> --- a/qemu-seccomp.c
>> +++ b/qemu-seccomp.c
>> @@ -234,7 +234,8 @@ static const struct QemuSeccompSyscall
>> seccomp_whitelist[] = { { SCMP_SYS(waitid), 241 },
>>       { SCMP_SYS(io_cancel), 241 },
>>       { SCMP_SYS(io_setup), 241 },
>> -    { SCMP_SYS(io_destroy), 241 }
>> +    { SCMP_SYS(io_destroy), 241 },
>> +    { SCMP_SYS(arch_prctl), 240 }
>>   };
>>
>>   int seccomp_start(void)

-- 
Eduardo Otubo
IBM Linux Technology Center

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist
  2013-07-24 18:01   ` Eduardo Otubo
@ 2013-07-29 22:12     ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2013-07-29 22:12 UTC (permalink / raw)
  To: qemu-devel; +Cc: coreyb, qemu-stable, Eduardo Otubo

On Wednesday, July 24, 2013 03:01:57 PM Eduardo Otubo wrote:
> On 07/23/2013 10:57 AM, Paul Moore wrote:
> > On Thursday, July 18, 2013 09:57:03 AM Paul Moore wrote:
> >> It appears that even a very simple /etc/qemu-ifup configuration can
> >> 
> >> require the arch_prctl() syscall, see the example below:
> >> 	#!/bin/sh
> >> 	/sbin/ifconfig $1 0.0.0.0 up
> >> 	/usr/sbin/brctl addif <switch> $1
> >> 
> >> Signed-off-by: Paul Moore <pmoore@redhat.com>
> > 
> > As with the other fix, a gentle nudge so this isn't forgotten.
> 
> Reviewed and tested.
> 
> Reviewed-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>

Any chance of merging this patch?

> >> ---
> >> 
> >>   qemu-seccomp.c |    3 ++-
> >>   1 file changed, 2 insertions(+), 1 deletion(-)
> >> 
> >> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> >> index 173d185..9e91c73 100644
> >> --- a/qemu-seccomp.c
> >> +++ b/qemu-seccomp.c
> >> @@ -234,7 +234,8 @@ static const struct QemuSeccompSyscall
> >> seccomp_whitelist[] = { { SCMP_SYS(waitid), 241 },
> >> 
> >>       { SCMP_SYS(io_cancel), 241 },
> >>       { SCMP_SYS(io_setup), 241 },
> >> 
> >> -    { SCMP_SYS(io_destroy), 241 }
> >> +    { SCMP_SYS(io_destroy), 241 },
> >> +    { SCMP_SYS(arch_prctl), 240 }
> >> 
> >>   };
> >>   
> >>   int seccomp_start(void)
-- 
paul moore
security and virtualization @ redhat

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist
  2013-07-18 13:57 [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist Paul Moore
  2013-07-23 13:57 ` Paul Moore
@ 2013-08-02 12:35 ` Anthony Liguori
  1 sibling, 0 replies; 5+ messages in thread
From: Anthony Liguori @ 2013-08-02 12:35 UTC (permalink / raw)
  To: Paul Moore, qemu-devel, qemu-stable; +Cc: coreyb, Eduardo Otubo

Applied.  Thanks.

Regards,

Anthony Liguori

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-08-02 13:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-18 13:57 [Qemu-devel] [PATCH] seccomp: add arch_prctl() to the syscall whitelist Paul Moore
2013-07-23 13:57 ` Paul Moore
2013-07-24 18:01   ` Eduardo Otubo
2013-07-29 22:12     ` Paul Moore
2013-08-02 12:35 ` Anthony Liguori

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).