From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:36122)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TUHcY-0002jf-Ms
	for qemu-devel@nongnu.org; Fri, 02 Nov 2012 09:49:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TUHcO-0003ux-FD
	for qemu-devel@nongnu.org; Fri, 02 Nov 2012 09:49:14 -0400
Received: from e36.co.us.ibm.com ([32.97.110.154]:51404)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TUHcO-0003uW-8a
	for qemu-devel@nongnu.org; Fri, 02 Nov 2012 09:49:04 -0400
Received: from /spool/local
	by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Fri, 2 Nov 2012 07:49:03 -0600
Received: from d03relay03.boulder.ibm.com (d03relay03.boulder.ibm.com
	[9.17.195.228])
	by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 4C5863E40041
	for <qemu-devel@nongnu.org>; Fri,  2 Nov 2012 07:48:58 -0600 (MDT)
Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245])
	by d03relay03.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	qA2DmvNS046076
	for <qemu-devel@nongnu.org>; Fri, 2 Nov 2012 07:48:58 -0600
Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1])
	by d03av06.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id qA2DofIK005852
	for <qemu-devel@nongnu.org>; Fri, 2 Nov 2012 07:50:41 -0600
Message-ID: <5093CF47.9030401@linux.vnet.ibm.com>
Date: Fri, 02 Nov 2012 09:48:55 -0400
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1350971732-16621-1-git-send-email-otubo@linux.vnet.ibm.com>
	<2070927.ckAog9Xh3T@sifl>
In-Reply-To: <2070927.ckAog9Xh3T@sifl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCHv2 1/4] Adding new syscalls (bugzilla 855162)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Moore <pmoore@redhat.com>
Cc: aliguori@us.ibm.com, qemu-devel@nongnu.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>



On 11/01/2012 05:43 PM, Paul Moore wrote:
> On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote:
>> According to the bug 855162[0] - there's the need of adding new syscalls
>> to the whitelist whenn using Qemu with Libvirt.
>>
>> [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162
>>
>> v2: Adding new syscalls to the list: readlink, rt_sigpending, and
>>      rt_sigtimedwait
>>
>> Reported-by: Paul Moore <pmoore@redhat.com>
>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
>> ---
>>   qemu-seccomp.c | 13 ++++++++++++-
>>   1 file changed, 12 insertions(+), 1 deletion(-)
>
> I had an opportunity to test this patchset on a F17 machine using QEMU 1.2 and
> unfortunately it still fails.  I'm using a relatively basic guest
> configuration running F16, the details are documented in the RH BZ that
> Eduardo mentioned in the patch description.

Paul, Here's the latest diff for the whitelist.  We're looking to get 
the patches out in the next few days after a bit more testing.

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 64329a3..81aaf74 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -45,6 +45,12 @@ static const struct QemuSeccompSyscall 
seccomp_whitelist[] = {
      { SCMP_SYS(access), 245 },
      { SCMP_SYS(prctl), 245 },
      { SCMP_SYS(signalfd), 245 },
+    { SCMP_SYS(getrlimit), 245 },
+    { SCMP_SYS(set_tid_address), 245 },
+    { SCMP_SYS(socketpair), 245 },
+    { SCMP_SYS(statfs), 245 },
+    { SCMP_SYS(unlink), 245 },
+    { SCMP_SYS(wait4), 245 },
  #if defined(__i386__)
      { SCMP_SYS(fcntl64), 245 },
      { SCMP_SYS(fstat64), 245 },
@@ -59,6 +65,8 @@ static const struct QemuSeccompSyscall 
seccomp_whitelist[] = {
      { SCMP_SYS(mmap2), 245},
      { SCMP_SYS(sigprocmask), 245 },
  #elif defined(__x86_64__)
+    { SCMP_SYS(semget), 245},
+#endif
      { SCMP_SYS(sched_getparam), 245},
      { SCMP_SYS(sched_getscheduler), 245},
      { SCMP_SYS(fstat), 245},
@@ -69,11 +77,15 @@ static const struct QemuSeccompSyscall 
seccomp_whitelist[] = {
      { SCMP_SYS(socket), 245},
      { SCMP_SYS(setsockopt), 245},
      { SCMP_SYS(uname), 245},
-    { SCMP_SYS(semget), 245},
-#endif
      { SCMP_SYS(eventfd2), 245 },
      { SCMP_SYS(dup), 245 },
+    { SCMP_SYS(dup2), 245 },
+    { SCMP_SYS(dup3), 245 },
      { SCMP_SYS(gettid), 245 },
+    { SCMP_SYS(getgid), 245 },
+    { SCMP_SYS(getegid), 245 },
+    { SCMP_SYS(getuid), 245 },
+    { SCMP_SYS(geteuid), 245 },
      { SCMP_SYS(timer_create), 245 },
      { SCMP_SYS(exit), 245 },
      { SCMP_SYS(clock_gettime), 245 },
@@ -107,7 +119,22 @@ static const struct QemuSeccompSyscall 
seccomp_whitelist[] = {
      { SCMP_SYS(getsockname), 242 },
      { SCMP_SYS(getpeername), 242 },
      { SCMP_SYS(fdatasync), 242 },
-    { SCMP_SYS(close), 242 }
+    { SCMP_SYS(close), 242 },
+    { SCMP_SYS(accept4), 242 },
+    { SCMP_SYS(rt_sigpending), 242 },
+    { SCMP_SYS(rt_sigtimedwait), 242 },
+    { SCMP_SYS(readv), 242 },
+    { SCMP_SYS(writev), 242 },
+    { SCMP_SYS(preadv), 242 },
+    { SCMP_SYS(pwritev), 242 },
+    { SCMP_SYS(setrlimit), 242 },
+    { SCMP_SYS(ftruncate), 242 },
+    { SCMP_SYS(lstat), 242 },
+    { SCMP_SYS(pipe), 242 },
+    { SCMP_SYS(umask), 242 },
+    { SCMP_SYS(chdir), 242 },
+    { SCMP_SYS(setitimer), 242 },
+    { SCMP_SYS(setsid), 242 }
  };

Regards,
Corey Bryant