* [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
@ 2012-11-12 19:48 Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult Eduardo Otubo
` (4 more replies)
0 siblings, 5 replies; 18+ messages in thread
From: Eduardo Otubo @ 2012-11-12 19:48 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, coreyb, Eduardo Otubo
According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist when using Qemu with Libvirt.
[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162
v2: Adding new syscalls to the list: readlink, rt_sigpending, and
rt_sigtimedwait
v3:
* Added new syscalls based on further tests.
* Added new syscalls with priority 241 that are unknown to be
used by QEMU. We'll attempt to remove these after QEMU 1.3.
Reported-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
qemu-seccomp.c | 148 +++++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 131 insertions(+), 17 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 64329a3..b06a2c6 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -26,8 +26,12 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(timer_gettime), 254 },
{ SCMP_SYS(futex), 253 },
{ SCMP_SYS(select), 252 },
+#if defined(__x86_64__)
{ SCMP_SYS(recvfrom), 251 },
{ SCMP_SYS(sendto), 250 },
+#elif defined(__i386__)
+ { SCMP_SYS(socketcall), 250 },
+#endif
{ SCMP_SYS(read), 249 },
{ SCMP_SYS(brk), 248 },
{ SCMP_SYS(clone), 247 },
@@ -36,15 +40,30 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(execve), 245 },
{ SCMP_SYS(open), 245 },
{ SCMP_SYS(ioctl), 245 },
+#if defined(__x86_64__)
+ { SCMP_SYS(socket), 245 },
+ { SCMP_SYS(setsockopt), 245 },
{ SCMP_SYS(recvmsg), 245 },
{ SCMP_SYS(sendmsg), 245 },
{ SCMP_SYS(accept), 245 },
{ SCMP_SYS(connect), 245 },
+ { SCMP_SYS(socketpair), 245 },
+ { SCMP_SYS(bind), 245 },
+ { SCMP_SYS(listen), 245 },
+ { SCMP_SYS(semget), 245 },
+#elif defined(__i386__)
+ { SCMP_SYS(ipc), 245 },
+#endif
{ SCMP_SYS(gettimeofday), 245 },
{ SCMP_SYS(readlink), 245 },
{ SCMP_SYS(access), 245 },
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
+ { SCMP_SYS(getrlimit), 245 },
+ { SCMP_SYS(set_tid_address), 245 },
+ { SCMP_SYS(statfs), 245 },
+ { SCMP_SYS(unlink), 245 },
+ { SCMP_SYS(wait4), 245 },
#if defined(__i386__)
{ SCMP_SYS(fcntl64), 245 },
{ SCMP_SYS(fstat64), 245 },
@@ -56,24 +75,26 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(sigreturn), 245 },
{ SCMP_SYS(_newselect), 245 },
{ SCMP_SYS(_llseek), 245 },
- { SCMP_SYS(mmap2), 245},
+ { SCMP_SYS(mmap2), 245 },
{ SCMP_SYS(sigprocmask), 245 },
-#elif defined(__x86_64__)
- { SCMP_SYS(sched_getparam), 245},
- { SCMP_SYS(sched_getscheduler), 245},
- { SCMP_SYS(fstat), 245},
- { SCMP_SYS(clock_getres), 245},
- { SCMP_SYS(sched_get_priority_min), 245},
- { SCMP_SYS(sched_get_priority_max), 245},
- { SCMP_SYS(stat), 245},
- { SCMP_SYS(socket), 245},
- { SCMP_SYS(setsockopt), 245},
- { SCMP_SYS(uname), 245},
- { SCMP_SYS(semget), 245},
#endif
+ { SCMP_SYS(sched_getparam), 245 },
+ { SCMP_SYS(sched_getscheduler), 245 },
+ { SCMP_SYS(fstat), 245 },
+ { SCMP_SYS(clock_getres), 245 },
+ { SCMP_SYS(sched_get_priority_min), 245 },
+ { SCMP_SYS(sched_get_priority_max), 245 },
+ { SCMP_SYS(stat), 245 },
+ { SCMP_SYS(uname), 245 },
{ SCMP_SYS(eventfd2), 245 },
{ SCMP_SYS(dup), 245 },
+ { SCMP_SYS(dup2), 245 },
+ { SCMP_SYS(dup3), 245 },
{ SCMP_SYS(gettid), 245 },
+ { SCMP_SYS(getgid), 245 },
+ { SCMP_SYS(getegid), 245 },
+ { SCMP_SYS(getuid), 245 },
+ { SCMP_SYS(geteuid), 245 },
{ SCMP_SYS(timer_create), 245 },
{ SCMP_SYS(exit), 245 },
{ SCMP_SYS(clock_gettime), 245 },
@@ -93,8 +114,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(lseek), 245 },
{ SCMP_SYS(pselect6), 245 },
{ SCMP_SYS(fork), 245 },
- { SCMP_SYS(bind), 245 },
- { SCMP_SYS(listen), 245 },
{ SCMP_SYS(eventfd), 245 },
{ SCMP_SYS(rt_sigprocmask), 245 },
{ SCMP_SYS(write), 244 },
@@ -104,10 +123,105 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(pipe2), 242 },
{ SCMP_SYS(munmap), 242 },
{ SCMP_SYS(mremap), 242 },
+ { SCMP_SYS(fdatasync), 242 },
+ { SCMP_SYS(close), 242 },
+ { SCMP_SYS(rt_sigpending), 242 },
+ { SCMP_SYS(rt_sigtimedwait), 242 },
+ { SCMP_SYS(readv), 242 },
+ { SCMP_SYS(writev), 242 },
+ { SCMP_SYS(preadv), 242 },
+ { SCMP_SYS(pwritev), 242 },
+ { SCMP_SYS(setrlimit), 242 },
+ { SCMP_SYS(ftruncate), 242 },
+ { SCMP_SYS(lstat), 242 },
+ { SCMP_SYS(pipe), 242 },
+ { SCMP_SYS(umask), 242 },
+ { SCMP_SYS(chdir), 242 },
+ { SCMP_SYS(setitimer), 242 },
+ { SCMP_SYS(setsid), 242 },
+ { SCMP_SYS(poll), 242 },
+#if defined(__i386__)
+ { SCMP_SYS(waitpid), 242 },
+#elif defined(__x86_64__)
{ SCMP_SYS(getsockname), 242 },
{ SCMP_SYS(getpeername), 242 },
- { SCMP_SYS(fdatasync), 242 },
- { SCMP_SYS(close), 242 }
+ { SCMP_SYS(accept4), 242 },
+ { SCMP_SYS(newfstatat), 241 },
+ { SCMP_SYS(shutdown), 241 },
+ { SCMP_SYS(getsockopt), 241 },
+ { SCMP_SYS(semctl), 241 },
+ { SCMP_SYS(semop), 241 },
+ { SCMP_SYS(semtimedop), 241 },
+#endif
+ { SCMP_SYS(ppoll), 241 },
+ { SCMP_SYS(creat), 241 },
+ { SCMP_SYS(link), 241 },
+ { SCMP_SYS(getpid), 241 },
+ { SCMP_SYS(getppid), 241 },
+ { SCMP_SYS(getpgrp), 241 },
+ { SCMP_SYS(getpgid), 241 },
+ { SCMP_SYS(getsid), 241 },
+ { SCMP_SYS(getdents64), 241 },
+ { SCMP_SYS(getresuid), 241 },
+ { SCMP_SYS(getresgid), 241 },
+ { SCMP_SYS(getgroups), 241 },
+#if defined(__i386__)
+ { SCMP_SYS(getresuid32), 241 },
+ { SCMP_SYS(getresgid32), 241 },
+ { SCMP_SYS(getgroups32), 241 },
+ { SCMP_SYS(signal), 241 },
+ { SCMP_SYS(sigaction), 241 },
+ { SCMP_SYS(sigsuspend), 241 },
+ { SCMP_SYS(sigpending), 241 },
+ { SCMP_SYS(truncate64), 241 },
+ { SCMP_SYS(ftruncate64), 241 },
+ { SCMP_SYS(fchown32), 241 },
+ { SCMP_SYS(chown32), 241 },
+ { SCMP_SYS(lchown32), 241 },
+ { SCMP_SYS(statfs64), 241 },
+ { SCMP_SYS(fstatfs64), 241 },
+ { SCMP_SYS(fstatat64), 241 },
+ { SCMP_SYS(lstat64), 241 },
+ { SCMP_SYS(sendfile64), 241 },
+ { SCMP_SYS(ugetrlimit), 241 },
+#endif
+ { SCMP_SYS(alarm), 241 },
+ { SCMP_SYS(rt_sigsuspend), 241 },
+ { SCMP_SYS(rt_sigqueueinfo), 241 },
+ { SCMP_SYS(rt_tgsigqueueinfo), 241 },
+ { SCMP_SYS(sigaltstack), 241 },
+ { SCMP_SYS(signalfd4), 241 },
+ { SCMP_SYS(truncate), 241 },
+ { SCMP_SYS(fchown), 241 },
+ { SCMP_SYS(lchown), 241 },
+ { SCMP_SYS(fchownat), 241 },
+ { SCMP_SYS(fstatfs), 241 },
+ { SCMP_SYS(sendfile), 241 },
+ { SCMP_SYS(getitimer), 241 },
+ { SCMP_SYS(syncfs), 241 },
+ { SCMP_SYS(fsync), 241 },
+ { SCMP_SYS(fchdir), 241 },
+ { SCMP_SYS(flock), 241 },
+ { SCMP_SYS(msync), 241 },
+ { SCMP_SYS(sched_setparam), 241 },
+ { SCMP_SYS(sched_setscheduler), 241 },
+ { SCMP_SYS(sched_yield), 241 },
+ { SCMP_SYS(sched_rr_get_interval), 241 },
+ { SCMP_SYS(sched_setaffinity), 241 },
+ { SCMP_SYS(sched_getaffinity), 241 },
+ { SCMP_SYS(readahead), 241 },
+ { SCMP_SYS(timer_getoverrun), 241 },
+ { SCMP_SYS(unlinkat), 241 },
+ { SCMP_SYS(readlinkat), 241 },
+ { SCMP_SYS(faccessat), 241 },
+ { SCMP_SYS(get_robust_list), 241 },
+ { SCMP_SYS(splice), 241 },
+ { SCMP_SYS(vmsplice), 241 },
+ { SCMP_SYS(getcpu), 241 },
+ { SCMP_SYS(sendmmsg), 241 },
+ { SCMP_SYS(recvmmsg), 241 },
+ { SCMP_SYS(prlimit64), 241 },
+ { SCMP_SYS(waitid), 241 }
};
int seccomp_start(void)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult
2012-11-12 19:48 [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
@ 2012-11-12 19:48 ` Eduardo Otubo
2012-11-21 15:20 ` Andreas Färber
2012-11-27 19:01 ` Anthony Liguori
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 3/5] net: Disallow device hotplug that causes execve() Eduardo Otubo
` (3 subsequent siblings)
4 siblings, 2 replies; 18+ messages in thread
From: Eduardo Otubo @ 2012-11-12 19:48 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, coreyb, Eduardo Otubo
Now the seccomp filter will be set to "on" even if no argument
"-sandbox" is given.
v3: * Introduced seccomp_states enum and new functions named
seccomp_set_state() and seccomp_get_state()
(pbonzini@redhat.com).
* Merged seccomp_start() and install_seccomp_filter(),
moved install_seccomp_filter() to qemu-seccomp.c,
and renamed it.
* Moved CONFIG_SECCOMP pre-processor checks from Makefile.objs
to qemu-seccomp.c.
* Replace qerror_report with fprintf(stderr, "..") in main()
(lcapitulino@redhat.com).
Note: This support requires libseccomp. If you don't have access
to libseccomp packages, you can manually build with the following
steps:
1) git clone git://git.code.sf.net/p/libseccomp/libseccomp
2) cd libseccomp
3) ./configure
4) make
5) make install
6) export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/"
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
Makefile.objs | 2 --
configure | 2 +-
qemu-seccomp.c | 26 ++++++++++++++++++++++++--
qemu-seccomp.h | 13 +++++++++++--
vl.c | 31 ++++++++++++++++---------------
5 files changed, 52 insertions(+), 22 deletions(-)
diff --git a/Makefile.objs b/Makefile.objs
index 593a592..682b1e6 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -103,9 +103,7 @@ common-obj-$(CONFIG_SLIRP) += slirp/
######################################################################
# libseccomp
-ifeq ($(CONFIG_SECCOMP),y)
common-obj-y += qemu-seccomp.o
-endif
######################################################################
# libuser
diff --git a/configure b/configure
index 7290f50..d28f8d5 100755
--- a/configure
+++ b/configure
@@ -221,7 +221,7 @@ guest_agent="yes"
want_tools="yes"
libiscsi=""
coroutine=""
-seccomp=""
+seccomp="yes"
glusterfs=""
# parse CC options first
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index b06a2c6..2386996 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -12,10 +12,28 @@
* Contributions after 2012-01-13 are licensed under the terms of the
* GNU GPL, version 2 or (at your option) any later version.
*/
+#include "config-host.h"
#include <stdio.h>
-#include <seccomp.h>
+#include "osdep.h"
#include "qemu-seccomp.h"
+#ifdef CONFIG_SECCOMP
+int seccomp_state = SECCOMP_ON;
+#else
+int seccomp_state = SECCOMP_OFF;
+#endif
+
+void seccomp_set_state(int state)
+{
+ seccomp_state = state;
+}
+
+int seccomp_get_state(void)
+{
+ return seccomp_state;
+}
+
+#ifdef CONFIG_SECCOMP
struct QemuSeccompSyscall {
int32_t num;
uint8_t priority;
@@ -223,15 +241,18 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(prlimit64), 241 },
{ SCMP_SYS(waitid), 241 }
};
+#endif
-int seccomp_start(void)
+int seccomp_install_filter(void)
{
int rc = 0;
+#ifdef CONFIG_SECCOMP
unsigned int i = 0;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL) {
+ rc = -1;
goto seccomp_return;
}
@@ -251,5 +272,6 @@ int seccomp_start(void)
seccomp_return:
seccomp_release(ctx);
+#endif
return rc;
}
diff --git a/qemu-seccomp.h b/qemu-seccomp.h
index b2fc3f8..fa26d70 100644
--- a/qemu-seccomp.h
+++ b/qemu-seccomp.h
@@ -15,8 +15,17 @@
#ifndef QEMU_SECCOMP_H
#define QEMU_SECCOMP_H
+#ifdef CONFIG_SECCOMP
#include <seccomp.h>
-#include "osdep.h"
+#endif
+
+enum seccomp_states {
+ SECCOMP_OFF,
+ SECCOMP_ON
+};
+
+void seccomp_set_state(int);
+int seccomp_get_state(void);
+int seccomp_install_filter(void);
-int seccomp_start(void);
#endif
diff --git a/vl.c b/vl.c
index 4f03a72..cb3d85e 100644
--- a/vl.c
+++ b/vl.c
@@ -64,9 +64,7 @@
#include <linux/parport.h>
#endif
-#ifdef CONFIG_SECCOMP
#include "qemu-seccomp.h"
-#endif
#ifdef __sun__
#include <sys/stat.h>
@@ -772,22 +770,17 @@ static int bt_parse(const char *opt)
static int parse_sandbox(QemuOpts *opts, void *opaque)
{
- /* FIXME: change this to true for 1.3 */
- if (qemu_opt_get_bool(opts, "enable", false)) {
#ifdef CONFIG_SECCOMP
- if (seccomp_start() < 0) {
- qerror_report(ERROR_CLASS_GENERIC_ERROR,
- "failed to install seccomp syscall filter in the kernel");
- return -1;
- }
-#else
- qerror_report(ERROR_CLASS_GENERIC_ERROR,
- "sandboxing request but seccomp is not compiled into this build");
- return -1;
-#endif
+ /* seccomp sandboxing is on by default */
+ if (!qemu_opt_get_bool(opts, "enable", true)) {
+ seccomp_set_state(SECCOMP_OFF);
}
-
return 0;
+#else
+ fprintf(stderr, "sandbox option specified but seccomp is not compiled "
+ "into this build\n");
+ return -1;
+#endif
}
/*********QEMU USB setting******/
@@ -3489,6 +3482,14 @@ int main(int argc, char **argv, char **envp)
exit(1);
}
+ if (seccomp_get_state() == SECCOMP_ON) {
+ if (seccomp_install_filter() < 0) {
+ fprintf(stderr, "failed to install seccomp syscall "
+ "initialization filter\n");
+ exit(1);
+ }
+ }
+
#ifndef _WIN32
if (qemu_opts_foreach(qemu_find_opts("add-fd"), parse_add_fd, NULL, 1)) {
exit(1);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv3 3/5] net: Disallow device hotplug that causes execve()
2012-11-12 19:48 [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult Eduardo Otubo
@ 2012-11-12 19:48 ` Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 4/5] seccomp: double whitelist support Eduardo Otubo
` (2 subsequent siblings)
4 siblings, 0 replies; 18+ messages in thread
From: Eduardo Otubo @ 2012-11-12 19:48 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, coreyb, Eduardo Otubo
We'll soon be introducing a second whitelist that prevents
execve() right before the main_loop() is entered. In preparation,
we need to gracefully disable use of exec'd scripts/binaries when
hotplugging network devices. For example, the following will not
be allowed:
netdev_add tap,id=tapdev0
netdev_add bridge
host_net_add tap
host_net_add bridge
v2: * Error messages moved to the backend function, net_init_tap(),
recommended by Paolo Bonzini
* Documentation added to QMP and HMP commands, and also to the Qemu
* options.
v3: * Prevent hotplug of network devices only when execve() would be
called by checking seccomp_get_state(). (pbonzini@redhat.com)
* Update enum seccomp_states with new states for 2 whitelists.
* Remove #ifdef preprocesser tests where possible
(pbonzini@redhat.com)
* Update network monitor and -sandbox command line documentation.
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
hmp-commands.hx | 12 ++++++------
net/tap.c | 13 +++++++++++++
qemu-options.hx | 11 +++++++++--
qemu-seccomp.h | 4 +++-
qmp-commands.hx | 3 ++-
5 files changed, 33 insertions(+), 10 deletions(-)
diff --git a/hmp-commands.hx b/hmp-commands.hx
index f916385..6530a21 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1103,15 +1103,15 @@ ETEXI
{
.name = "host_net_add",
.args_type = "device:s,opts:s?",
- .params = "tap|user|socket|vde|dump [options]",
- .help = "add host VLAN client",
+ .params = "tap|bridge|user|socket|vde|dump [options]",
+ .help = "add host VLAN client (options that exec programs are disabled when -sandbox is in use)",
.mhandler.cmd = net_host_device_add,
},
STEXI
@item host_net_add
@findex host_net_add
-Add host VLAN client.
+Add host VLAN client (options that exec programs are disabled when -sandbox is in use).
ETEXI
{
@@ -1131,15 +1131,15 @@ ETEXI
{
.name = "netdev_add",
.args_type = "netdev:O",
- .params = "[user|tap|socket],id=str[,prop=value][,...]",
- .help = "add host network device",
+ .params = "[user|tap|bridge|socket],id=str[,prop=value][,...]",
+ .help = "add host network device (options that exec programs are disabled when -sandbox is in use)",
.mhandler.cmd = hmp_netdev_add,
},
STEXI
@item netdev_add
@findex netdev_add
-Add host network device.
+Add host network device (options that exec programs are disabled when -sandbox is in use).
ETEXI
{
diff --git a/net/tap.c b/net/tap.c
index df89caa..b72a012 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -40,6 +40,7 @@
#include "qemu-char.h"
#include "qemu-common.h"
#include "qemu-error.h"
+#include "qemu-seccomp.h"
#include "net/tap-linux.h"
@@ -352,6 +353,12 @@ static int launch_script(const char *setup_script, const char *ifname, int fd)
char *args[3];
char **parg;
+ if (seccomp_get_state() >= SECCOMP_MAIN_LOOP) {
+ error_report("Cannot execute network script from QEMU monitor "
+ "when -sandbox is in effect");
+ return -1;
+ }
+
/* try to launch network script */
pid = fork();
if (pid == 0) {
@@ -426,6 +433,12 @@ static int net_bridge_run_helper(const char *helper, const char *bridge)
char **parg;
int sv[2];
+ if (seccomp_get_state() >= SECCOMP_MAIN_LOOP) {
+ error_report("Cannot execute network helper from QEMU monitor "
+ "when -sandbox is in effect");
+ return -1;
+ }
+
sigemptyset(&mask);
sigaddset(&mask, SIGCHLD);
sigprocmask(SIG_BLOCK, &mask, &oldmask);
diff --git a/qemu-options.hx b/qemu-options.hx
index fe8f15c..f7277a0 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1584,6 +1584,8 @@ attach it to the bridge. The default network helper executable is
@file{/usr/local/libexec/qemu-bridge-helper} and the default bridge
device is @file{br0}.
+Note that QEMU cannot execute a setuid program if -sandbox is in effect.
+
Examples:
@example
@@ -2798,8 +2800,13 @@ DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
STEXI
@item -sandbox
@findex -sandbox
-Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will
-disable it. The default is 'off'.
+Enable Seccomp mode 2 system call filter. 'on' will enable system call filtering
+and 'off' will disable it. The default is 'on'.
+
+Note that when '-sandbox on' is in effect, execution of programs where privilege
+granting operations occur during exec will be disabled. For example, QEMU will
+not be able to execute a setuid binary to change its uid or gid. Additionally,
+network monitor commands that cause programs to be executed will be disabled.
ETEXI
DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig,
diff --git a/qemu-seccomp.h b/qemu-seccomp.h
index fa26d70..686db09 100644
--- a/qemu-seccomp.h
+++ b/qemu-seccomp.h
@@ -21,7 +21,9 @@
enum seccomp_states {
SECCOMP_OFF,
- SECCOMP_ON
+ SECCOMP_ON,
+ SECCOMP_INIT,
+ SECCOMP_MAIN_LOOP
};
void seccomp_set_state(int);
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 5c692d0..26252a4 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -757,7 +757,8 @@ Example:
Note: The supported device options are the same ones supported by the '-net'
command-line argument, which are listed in the '-help' output or QEMU's
- manual
+ manual. Note that options that exec programs are disabled when -sandbox
+ is in use.
EQMP
--
1.7.10.4
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv3 4/5] seccomp: double whitelist support
2012-11-12 19:48 [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 3/5] net: Disallow device hotplug that causes execve() Eduardo Otubo
@ 2012-11-12 19:48 ` Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 5/5] seccomp: adding debug mode Eduardo Otubo
2012-11-21 13:20 ` [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
4 siblings, 0 replies; 18+ messages in thread
From: Eduardo Otubo @ 2012-11-12 19:48 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, coreyb, Eduardo Otubo
This patch includes a second whitelist right before the main loop. The
second whitelist is more restricted and does not contain execve().
Although it works fine the way it is now, it's optimal to update and
fine tune it.
v2: * ctx changed to main_loop_ctx
* seccomp_on now inside ifdef
* open() syscall added to the main_loop whitelist
v3: * Main loop now has whitelist without execve().
* Use enum seccomp_states, seccomp_get_state(), and
seccomp_install_filter()
* Added new syscalls with priority 241 that are unknown to be
used by QEMU. We'll attempt to remove these after QEMU 1.3.
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
qemu-seccomp.c | 252 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
qemu-seccomp.h | 2 +-
vl.c | 9 +-
3 files changed, 251 insertions(+), 12 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 2386996..d5a3b0f 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -13,9 +13,9 @@
* GNU GPL, version 2 or (at your option) any later version.
*/
#include "config-host.h"
-#include <stdio.h>
#include "osdep.h"
#include "qemu-seccomp.h"
+#include <stdio.h>
#ifdef CONFIG_SECCOMP
int seccomp_state = SECCOMP_ON;
@@ -39,7 +39,7 @@ struct QemuSeccompSyscall {
uint8_t priority;
};
-static const struct QemuSeccompSyscall seccomp_whitelist[] = {
+static const struct QemuSeccompSyscall whitelist_init[] = {
{ SCMP_SYS(timer_settime), 255 },
{ SCMP_SYS(timer_gettime), 254 },
{ SCMP_SYS(futex), 253 },
@@ -241,14 +241,238 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(prlimit64), 241 },
{ SCMP_SYS(waitid), 241 }
};
+
+static const struct QemuSeccompSyscall whitelist_main[] = {
+ { SCMP_SYS(timer_settime), 255 },
+ { SCMP_SYS(timer_gettime), 254 },
+ { SCMP_SYS(futex), 253 },
+ { SCMP_SYS(select), 252 },
+#if defined(__x86_64__)
+ { SCMP_SYS(recvfrom), 251 },
+ { SCMP_SYS(sendto), 250 },
+#elif defined(__i386__)
+ { SCMP_SYS(socketcall), 250 },
+#endif
+ { SCMP_SYS(read), 249 },
+ { SCMP_SYS(brk), 248 },
+ { SCMP_SYS(clone), 247 },
+ { SCMP_SYS(mmap), 247 },
+ { SCMP_SYS(mprotect), 246 },
+ { SCMP_SYS(open), 245 },
+ { SCMP_SYS(ioctl), 245 },
+#if defined(__x86_64__)
+ { SCMP_SYS(socket), 245 },
+ { SCMP_SYS(setsockopt), 245 },
+ { SCMP_SYS(recvmsg), 245 },
+ { SCMP_SYS(sendmsg), 245 },
+ { SCMP_SYS(accept), 245 },
+ { SCMP_SYS(connect), 245 },
+ { SCMP_SYS(socketpair), 245 },
+ { SCMP_SYS(bind), 245 },
+ { SCMP_SYS(listen), 245 },
+ { SCMP_SYS(semget), 245 },
+#elif defined(__i386__)
+ { SCMP_SYS(ipc), 245 },
+#endif
+ { SCMP_SYS(gettimeofday), 245 },
+ { SCMP_SYS(readlink), 245 },
+ { SCMP_SYS(access), 245 },
+ { SCMP_SYS(prctl), 245 },
+ { SCMP_SYS(signalfd), 245 },
+ { SCMP_SYS(getrlimit), 245 },
+ { SCMP_SYS(set_tid_address), 245 },
+ { SCMP_SYS(statfs), 245 },
+ { SCMP_SYS(unlink), 245 },
+ { SCMP_SYS(wait4), 245 },
+#if defined(__i386__)
+ { SCMP_SYS(fcntl64), 245 },
+ { SCMP_SYS(fstat64), 245 },
+ { SCMP_SYS(stat64), 245 },
+ { SCMP_SYS(getgid32), 245 },
+ { SCMP_SYS(getegid32), 245 },
+ { SCMP_SYS(getuid32), 245 },
+ { SCMP_SYS(geteuid32), 245 },
+ { SCMP_SYS(sigreturn), 245 },
+ { SCMP_SYS(_newselect), 245 },
+ { SCMP_SYS(_llseek), 245 },
+ { SCMP_SYS(mmap2), 245 },
+ { SCMP_SYS(sigprocmask), 245 },
+#endif
+ { SCMP_SYS(sched_getparam), 245 },
+ { SCMP_SYS(sched_getscheduler), 245 },
+ { SCMP_SYS(fstat), 245 },
+ { SCMP_SYS(clock_getres), 245 },
+ { SCMP_SYS(sched_get_priority_min), 245 },
+ { SCMP_SYS(sched_get_priority_max), 245 },
+ { SCMP_SYS(stat), 245 },
+ { SCMP_SYS(uname), 245 },
+ { SCMP_SYS(eventfd2), 245 },
+ { SCMP_SYS(dup), 245 },
+ { SCMP_SYS(dup2), 245 },
+ { SCMP_SYS(dup3), 245 },
+ { SCMP_SYS(gettid), 245 },
+ { SCMP_SYS(getgid), 245 },
+ { SCMP_SYS(getegid), 245 },
+ { SCMP_SYS(getuid), 245 },
+ { SCMP_SYS(geteuid), 245 },
+ { SCMP_SYS(timer_create), 245 },
+ { SCMP_SYS(exit), 245 },
+ { SCMP_SYS(clock_gettime), 245 },
+ { SCMP_SYS(time), 245 },
+ { SCMP_SYS(restart_syscall), 245 },
+ { SCMP_SYS(pwrite64), 245 },
+ { SCMP_SYS(chown), 245 },
+ { SCMP_SYS(openat), 245 },
+ { SCMP_SYS(getdents), 245 },
+ { SCMP_SYS(timer_delete), 245 },
+ { SCMP_SYS(exit_group), 245 },
+ { SCMP_SYS(rt_sigreturn), 245 },
+ { SCMP_SYS(sync), 245 },
+ { SCMP_SYS(pread64), 245 },
+ { SCMP_SYS(madvise), 245 },
+ { SCMP_SYS(set_robust_list), 245 },
+ { SCMP_SYS(lseek), 245 },
+ { SCMP_SYS(pselect6), 245 },
+ { SCMP_SYS(fork), 245 },
+ { SCMP_SYS(eventfd), 245 },
+ { SCMP_SYS(rt_sigprocmask), 245 },
+ { SCMP_SYS(write), 244 },
+ { SCMP_SYS(fcntl), 243 },
+ { SCMP_SYS(tgkill), 242 },
+ { SCMP_SYS(rt_sigaction), 242 },
+ { SCMP_SYS(pipe2), 242 },
+ { SCMP_SYS(munmap), 242 },
+ { SCMP_SYS(mremap), 242 },
+ { SCMP_SYS(fdatasync), 242 },
+ { SCMP_SYS(close), 242 },
+ { SCMP_SYS(rt_sigpending), 242 },
+ { SCMP_SYS(rt_sigtimedwait), 242 },
+ { SCMP_SYS(readv), 242 },
+ { SCMP_SYS(writev), 242 },
+ { SCMP_SYS(preadv), 242 },
+ { SCMP_SYS(pwritev), 242 },
+ { SCMP_SYS(setrlimit), 242 },
+ { SCMP_SYS(ftruncate), 242 },
+ { SCMP_SYS(lstat), 242 },
+ { SCMP_SYS(pipe), 242 },
+ { SCMP_SYS(umask), 242 },
+ { SCMP_SYS(chdir), 242 },
+ { SCMP_SYS(setitimer), 242 },
+ { SCMP_SYS(setsid), 242 },
+ { SCMP_SYS(poll), 242 },
+#if defined(__i386__)
+ { SCMP_SYS(waitpid), 242 },
+#elif defined(__x86_64__)
+ { SCMP_SYS(getsockname), 242 },
+ { SCMP_SYS(getpeername), 242 },
+ { SCMP_SYS(accept4), 242 },
+ { SCMP_SYS(newfstatat), 241 },
+ { SCMP_SYS(shutdown), 241 },
+ { SCMP_SYS(getsockopt), 241 },
+ { SCMP_SYS(semctl), 241 },
+ { SCMP_SYS(semop), 241 },
+ { SCMP_SYS(semtimedop), 241 },
+#endif
+ { SCMP_SYS(ppoll), 241 },
+ { SCMP_SYS(creat), 241 },
+ { SCMP_SYS(link), 241 },
+ { SCMP_SYS(getpid), 241 },
+ { SCMP_SYS(getppid), 241 },
+ { SCMP_SYS(getpgrp), 241 },
+ { SCMP_SYS(getpgid), 241 },
+ { SCMP_SYS(getsid), 241 },
+ { SCMP_SYS(getdents64), 241 },
+ { SCMP_SYS(getresuid), 241 },
+ { SCMP_SYS(getresgid), 241 },
+ { SCMP_SYS(getgroups), 241 },
+#if defined(__i386__)
+ { SCMP_SYS(getresuid32), 241 },
+ { SCMP_SYS(getresgid32), 241 },
+ { SCMP_SYS(getgroups32), 241 },
+ { SCMP_SYS(signal), 241 },
+ { SCMP_SYS(sigaction), 241 },
+ { SCMP_SYS(sigsuspend), 241 },
+ { SCMP_SYS(sigpending), 241 },
+ { SCMP_SYS(truncate64), 241 },
+ { SCMP_SYS(ftruncate64), 241 },
+ { SCMP_SYS(fchown32), 241 },
+ { SCMP_SYS(chown32), 241 },
+ { SCMP_SYS(lchown32), 241 },
+ { SCMP_SYS(statfs64), 241 },
+ { SCMP_SYS(fstatfs64), 241 },
+ { SCMP_SYS(fstatat64), 241 },
+ { SCMP_SYS(lstat64), 241 },
+ { SCMP_SYS(sendfile64), 241 },
+ { SCMP_SYS(ugetrlimit), 241 },
+#endif
+ { SCMP_SYS(alarm), 241 },
+ { SCMP_SYS(rt_sigsuspend), 241 },
+ { SCMP_SYS(rt_sigqueueinfo), 241 },
+ { SCMP_SYS(rt_tgsigqueueinfo), 241 },
+ { SCMP_SYS(sigaltstack), 241 },
+ { SCMP_SYS(signalfd4), 241 },
+ { SCMP_SYS(truncate), 241 },
+ { SCMP_SYS(fchown), 241 },
+ { SCMP_SYS(lchown), 241 },
+ { SCMP_SYS(fchownat), 241 },
+ { SCMP_SYS(fstatfs), 241 },
+ { SCMP_SYS(sendfile), 241 },
+ { SCMP_SYS(getitimer), 241 },
+ { SCMP_SYS(syncfs), 241 },
+ { SCMP_SYS(fsync), 241 },
+ { SCMP_SYS(fchdir), 241 },
+ { SCMP_SYS(flock), 241 },
+ { SCMP_SYS(msync), 241 },
+ { SCMP_SYS(sched_setparam), 241 },
+ { SCMP_SYS(sched_setscheduler), 241 },
+ { SCMP_SYS(sched_yield), 241 },
+ { SCMP_SYS(sched_rr_get_interval), 241 },
+ { SCMP_SYS(sched_setaffinity), 241 },
+ { SCMP_SYS(sched_getaffinity), 241 },
+ { SCMP_SYS(readahead), 241 },
+ { SCMP_SYS(timer_getoverrun), 241 },
+ { SCMP_SYS(unlinkat), 241 },
+ { SCMP_SYS(readlinkat), 241 },
+ { SCMP_SYS(faccessat), 241 },
+ { SCMP_SYS(get_robust_list), 241 },
+ { SCMP_SYS(splice), 241 },
+ { SCMP_SYS(vmsplice), 241 },
+ { SCMP_SYS(getcpu), 241 },
+ { SCMP_SYS(sendmmsg), 241 },
+ { SCMP_SYS(recvmmsg), 241 },
+ { SCMP_SYS(prlimit64), 241 },
+ { SCMP_SYS(waitid), 241 }
+};
#endif
-int seccomp_install_filter(void)
+#ifdef CONFIG_SECCOMP
+static int process_list(scmp_filter_ctx *ctx,
+ const struct QemuSeccompSyscall *list,
+ unsigned int list_size)
{
int rc = 0;
-#ifdef CONFIG_SECCOMP
unsigned int i = 0;
- scmp_filter_ctx ctx;
+
+ for (i = 0; i < list_size; i++) {
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, list[i].num, 0);
+ if (rc < 0) {
+ return rc;
+ }
+
+ rc = seccomp_syscall_priority(ctx, list[i].num, list[i].priority);
+ if (rc < 0) {
+ return rc;
+ }
+ }
+ return rc;
+}
+#endif
+
+int seccomp_install_filter(int state)
+{
+ int rc = 0;
+#ifdef CONFIG_SECCOMP
+ scmp_filter_ctx ctx = NULL;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL) {
@@ -256,21 +480,29 @@ int seccomp_install_filter(void)
goto seccomp_return;
}
- for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);
+ switch (state) {
+ case SECCOMP_INIT:
+ rc = process_list(ctx, whitelist_init, ARRAY_SIZE(whitelist_init));
if (rc < 0) {
goto seccomp_return;
}
- rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,
- seccomp_whitelist[i].priority);
+ break;
+ case SECCOMP_MAIN_LOOP:
+ rc = process_list(ctx, whitelist_main, ARRAY_SIZE(whitelist_main));
if (rc < 0) {
goto seccomp_return;
}
+ break;
+ default:
+ rc = -1;
+ goto seccomp_return;
}
-
rc = seccomp_load(ctx);
seccomp_return:
+ if (rc == 0) {
+ seccomp_set_state(state);
+ }
seccomp_release(ctx);
#endif
return rc;
diff --git a/qemu-seccomp.h b/qemu-seccomp.h
index 686db09..029c111 100644
--- a/qemu-seccomp.h
+++ b/qemu-seccomp.h
@@ -28,6 +28,6 @@ enum seccomp_states {
void seccomp_set_state(int);
int seccomp_get_state(void);
-int seccomp_install_filter(void);
+int seccomp_install_filter(int);
#endif
diff --git a/vl.c b/vl.c
index cb3d85e..80b1fff 100644
--- a/vl.c
+++ b/vl.c
@@ -3483,7 +3483,7 @@ int main(int argc, char **argv, char **envp)
}
if (seccomp_get_state() == SECCOMP_ON) {
- if (seccomp_install_filter() < 0) {
+ if (seccomp_install_filter(SECCOMP_INIT) < 0) {
fprintf(stderr, "failed to install seccomp syscall "
"initialization filter\n");
exit(1);
@@ -3945,6 +3945,13 @@ int main(int argc, char **argv, char **envp)
os_setup_post();
resume_all_vcpus();
+ if (seccomp_get_state() >= SECCOMP_ON) {
+ if (seccomp_install_filter(SECCOMP_MAIN_LOOP) < 0) {
+ fprintf(stderr,
+ "failed to install seccomp syscall main loop filter\n");
+ exit(1);
+ }
+ }
main_loop();
bdrv_close_all();
pause_all_vcpus();
--
1.7.10.4
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [Qemu-devel] [PATCHv3 5/5] seccomp: adding debug mode
2012-11-12 19:48 [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
` (2 preceding siblings ...)
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 4/5] seccomp: double whitelist support Eduardo Otubo
@ 2012-11-12 19:48 ` Eduardo Otubo
2012-11-21 13:20 ` [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
4 siblings, 0 replies; 18+ messages in thread
From: Eduardo Otubo @ 2012-11-12 19:48 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, coreyb, Eduardo Otubo
This patch is meant for developer debug purposes only. It adds
support that displays the offending system call number if QEMU
is being killed by seccomp. The offending system call may need
to be added to the appropriate system call white list in
qemu-seccomp.c to prevent seccomp from killing QEMU.
When the seccomp filter is configured with SCMP_ACT_TRAP, the
kernel sends a SIGSYS every time an illegal syscall is called.
The role of the debug mode is to handle the SIGSYS, determine
the illegal syscall, and print the syscall number to stderr.
v3: New in v3.
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
---
Makefile.objs | 3 ++
configure | 16 +++++++++
qemu-seccomp-debug.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++
qemu-seccomp-debug.h | 40 ++++++++++++++++++++++
qemu-seccomp.c | 4 +--
qemu-seccomp.h | 13 +++++++
qemu-thread-posix.c | 3 ++
vl.c | 10 ++++++
8 files changed, 180 insertions(+), 2 deletions(-)
create mode 100644 qemu-seccomp-debug.c
create mode 100644 qemu-seccomp-debug.h
diff --git a/Makefile.objs b/Makefile.objs
index 682b1e6..4ece4d8 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -104,6 +104,9 @@ common-obj-$(CONFIG_SLIRP) += slirp/
######################################################################
# libseccomp
common-obj-y += qemu-seccomp.o
+ifeq ($(CONFIG_SECCOMP_DEBUG),y)
+common-obj-y += qemu-seccomp-debug.o
+endif
######################################################################
# libuser
diff --git a/configure b/configure
index d28f8d5..e2417fe 100755
--- a/configure
+++ b/configure
@@ -222,6 +222,7 @@ want_tools="yes"
libiscsi=""
coroutine=""
seccomp="yes"
+seccomp_debug="no"
glusterfs=""
# parse CC options first
@@ -867,6 +868,10 @@ for opt do
;;
--disable-seccomp) seccomp="no"
;;
+ --enable-seccomp-debug) seccomp_debug="yes"
+ ;;
+ --disable-seccomp-debug) seccomp_debug="no"
+ ;;
--disable-glusterfs) glusterfs="no"
;;
--enable-glusterfs) glusterfs="yes"
@@ -876,6 +881,10 @@ for opt do
esac
done
+if test "$seccomp" = "no"; then
+ seccomp_debug="no";
+fi
+
case "$cpu" in
sparc)
LDFLAGS="-m32 $LDFLAGS"
@@ -1115,6 +1124,8 @@ echo " --disable-guest-agent disable building of the QEMU Guest Agent"
echo " --enable-guest-agent enable building of the QEMU Guest Agent"
echo " --disable-seccomp disable seccomp support"
echo " --enable-seccomp enables seccomp support"
+echo " --disable-seccomp-debug disable seccomp debug support"
+echo " --enable-seccomp-debug enables seccomp debug support"
echo " --with-coroutine=BACKEND coroutine backend. Supported options:"
echo " gthread, ucontext, sigaltstack, windows"
echo " --enable-glusterfs enable GlusterFS backend"
@@ -3230,6 +3241,7 @@ echo "OpenGL support $opengl"
echo "libiscsi support $libiscsi"
echo "build guest agent $guest_agent"
echo "seccomp support $seccomp"
+echo "seccomp debug $seccomp_debug"
echo "coroutine backend $coroutine_backend"
echo "GlusterFS support $glusterfs"
@@ -3534,6 +3546,10 @@ if test "$seccomp" = "yes"; then
echo "CONFIG_SECCOMP=y" >> $config_host_mak
fi
+if test "$seccomp_debug" = "yes"; then
+ echo "CONFIG_SECCOMP_DEBUG=y" >> $config_host_mak
+fi
+
# XXX: suppress that
if [ "$bsd" = "yes" ] ; then
echo "CONFIG_BSD=y" >> $config_host_mak
diff --git a/qemu-seccomp-debug.c b/qemu-seccomp-debug.c
new file mode 100644
index 0000000..4b64e8c
--- /dev/null
+++ b/qemu-seccomp-debug.c
@@ -0,0 +1,93 @@
+/*
+ * QEMU seccomp mode 2 support with libseccomp
+ * Debug system calls helper functions
+ *
+ * Copyright IBM, Corp. 2012
+ *
+ * Authors:
+ * Eduardo Otubo <eotubo@br.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2. See
+ * the COPYING file in the top-level directory.
+ *
+ * Contributions after 2012-01-13 are licensed under the terms of the
+ * GNU GPL, version 2 or (at your option) any later version.
+ */
+
+#include "qemu-seccomp-debug.h"
+#include <asm-generic/unistd.h>
+
+#define safe_warn(data, len) write(STDERR_FILENO, (const void *) data, len)
+
+static int count_digits(int number)
+{
+ int digits = 0;
+ while (number) {
+ number /= 10;
+ digits++;
+ }
+
+ return digits;
+}
+
+static char *sput_i(int integer, char *string)
+{
+ if (integer / 10 != 0) {
+ string = sput_i(integer / 10, string);
+ }
+ *string++ = (char) ('0' + integer % 10);
+ return string;
+}
+
+static void int_to_asc(int integer, char *string)
+{
+ *sput_i(integer, string) = '\n';
+}
+
+static void syscall_debug(int nr, siginfo_t *info, void *void_context)
+{
+ ucontext_t *ctx = (ucontext_t *) (void_context);
+ char errormsg[] = "seccomp: illegal syscall trapped: ";
+ char syscall_char[count_digits(__NR_syscalls) + 1];
+ int syscall_num = 0;
+ int i;
+
+ for (i = 0; i < count_digits(__NR_syscalls) + 1; i++) {
+ syscall_char[i] = ' ';
+ }
+ if (info->si_code != SYS_SECCOMP) {
+ return;
+ }
+ if (!ctx) {
+ return;
+ }
+ syscall_num = ctx->uc_mcontext.gregs[REG_SYSCALL];
+ int_to_asc(syscall_num, syscall_char);
+ if ((safe_warn(errormsg, sizeof(errormsg)-1) < 0) ||
+ (safe_warn(syscall_char, sizeof(syscall_char)) < 0)) {
+ return;
+ }
+ return;
+}
+
+int seccomp_install_syscall_debug(void)
+{
+ struct sigaction act;
+ sigset_t mask;
+
+ memset(&act, 0, sizeof(act));
+ sigemptyset(&mask);
+ sigaddset(&mask, SIGSYS);
+
+ act.sa_sigaction = &syscall_debug;
+ act.sa_flags = SA_SIGINFO;
+ if (sigaction(SIGSYS, &act, NULL) < 0) {
+ perror("seccomp: sigaction returned with errors\n");
+ return -1;
+ }
+ if (pthread_sigmask(SIG_UNBLOCK, &mask, NULL)) {
+ perror("seccomp: pthread_sigmask returned with errors\n");
+ return -1;
+ }
+ return 0;
+}
diff --git a/qemu-seccomp-debug.h b/qemu-seccomp-debug.h
new file mode 100644
index 0000000..c41538e
--- /dev/null
+++ b/qemu-seccomp-debug.h
@@ -0,0 +1,40 @@
+/*
+ * QEMU seccomp mode 2 support with libseccomp
+ * Trap system calls helper functions
+ *
+ * Copyright IBM, Corp. 2012
+ *
+ * Authors:
+ * Eduardo Otubo <eotubo@br.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2. See
+ * the COPYING file in the top-level directory.
+ *
+ * Contributions after 2012-01-13 are licensed under the terms of the
+ * GNU GPL, version 2 or (at your option) any later version.
+ */
+#ifndef QEMU_SECCOMP_TRAP_H
+#define QEMU_SECCOMP_TRAP_H
+
+#include <signal.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#if defined(__i386__)
+#define REG_SYSCALL REG_EAX
+#include <asm/unistd_32.h>
+#elif defined(__x86_64__)
+#define REG_SYSCALL REG_RAX
+#include <asm/unistd_64.h>
+#else
+#error Unsupported platform
+#endif
+
+#ifndef SYS_SECCOMP
+#define SYS_SECCOMP 1
+#endif
+
+int seccomp_install_syscall_debug(void);
+
+#endif
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index d5a3b0f..d2177f8 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -454,7 +454,7 @@ static int process_list(scmp_filter_ctx *ctx,
unsigned int i = 0;
for (i = 0; i < list_size; i++) {
- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, list[i].num, 0);
+ rc = seccomp_rule_add(ctx, SECCOMP_ALLOW, list[i].num, 0);
if (rc < 0) {
return rc;
}
@@ -474,7 +474,7 @@ int seccomp_install_filter(int state)
#ifdef CONFIG_SECCOMP
scmp_filter_ctx ctx = NULL;
- ctx = seccomp_init(SCMP_ACT_KILL);
+ ctx = seccomp_init(SECCOMP_DENY);
if (ctx == NULL) {
rc = -1;
goto seccomp_return;
diff --git a/qemu-seccomp.h b/qemu-seccomp.h
index 029c111..3fd6ad3 100644
--- a/qemu-seccomp.h
+++ b/qemu-seccomp.h
@@ -15,10 +15,23 @@
#ifndef QEMU_SECCOMP_H
#define QEMU_SECCOMP_H
+#include <stdint.h>
#ifdef CONFIG_SECCOMP
#include <seccomp.h>
#endif
+#define SECCOMP_ALLOW SCMP_ACT_ALLOW
+
+#ifdef CONFIG_SECCOMP
+#ifdef CONFIG_SECCOMP_DEBUG
+#define SECCOMP_DENY SCMP_ACT_TRAP
+#else
+#define SECCOMP_DENY SCMP_ACT_KILL
+#endif
+#else
+#define SECCOMP_DENY 0
+#endif
+
enum seccomp_states {
SECCOMP_OFF,
SECCOMP_ON,
diff --git a/qemu-thread-posix.c b/qemu-thread-posix.c
index 4ef9c7b..3c67732 100644
--- a/qemu-thread-posix.c
+++ b/qemu-thread-posix.c
@@ -288,6 +288,9 @@ void qemu_thread_create(QemuThread *thread,
/* Leave signal handling to the iothread. */
sigfillset(&set);
+#ifdef CONFIG_SECCOMP_DEBUG
+ sigdelset(&set, SIGSYS);
+#endif
pthread_sigmask(SIG_SETMASK, &set, &oldset);
err = pthread_create(&thread->thread, &attr, start_routine, arg);
if (err)
diff --git a/vl.c b/vl.c
index 80b1fff..8f970e4 100644
--- a/vl.c
+++ b/vl.c
@@ -65,6 +65,9 @@
#endif
#include "qemu-seccomp.h"
+#ifdef CONFIG_SECCOMP_DEBUG
+#include "qemu-seccomp-debug.h"
+#endif
#ifdef __sun__
#include <sys/stat.h>
@@ -3483,6 +3486,13 @@ int main(int argc, char **argv, char **envp)
}
if (seccomp_get_state() == SECCOMP_ON) {
+#ifdef CONFIG_SECCOMP_DEBUG
+ if (seccomp_install_syscall_debug() < 0) {
+ fprintf(stderr,
+ "failed to install seccomp syscall debug support\n");
+ exit(1);
+ }
+#endif
if (seccomp_install_filter(SECCOMP_INIT) < 0) {
fprintf(stderr, "failed to install seccomp syscall "
"initialization filter\n");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-12 19:48 [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
` (3 preceding siblings ...)
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 5/5] seccomp: adding debug mode Eduardo Otubo
@ 2012-11-21 13:20 ` Eduardo Otubo
2012-11-21 15:24 ` Paul Moore
2012-11-21 15:30 ` Andreas Färber
4 siblings, 2 replies; 18+ messages in thread
From: Eduardo Otubo @ 2012-11-21 13:20 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, coreyb
Hello folks,
Does anyone had a chance to take a look at this? We would like to get
this into the 1.3 release.
Thanks again :)
On Mon, Nov 12, 2012 at 05:48:14PM -0200, Eduardo Otubo wrote:
> According to the bug 855162[0] - there's the need of adding new syscalls
> to the whitelist when using Qemu with Libvirt.
>
> [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162
>
> v2: Adding new syscalls to the list: readlink, rt_sigpending, and
> rt_sigtimedwait
>
> v3:
> * Added new syscalls based on further tests.
> * Added new syscalls with priority 241 that are unknown to be
> used by QEMU. We'll attempt to remove these after QEMU 1.3.
>
> Reported-by: Paul Moore <pmoore@redhat.com>
> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
> ---
> qemu-seccomp.c | 148 +++++++++++++++++++++++++++++++++++++++++++++++++-------
> 1 file changed, 131 insertions(+), 17 deletions(-)
>
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 64329a3..b06a2c6 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -26,8 +26,12 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(timer_gettime), 254 },
> { SCMP_SYS(futex), 253 },
> { SCMP_SYS(select), 252 },
> +#if defined(__x86_64__)
> { SCMP_SYS(recvfrom), 251 },
> { SCMP_SYS(sendto), 250 },
> +#elif defined(__i386__)
> + { SCMP_SYS(socketcall), 250 },
> +#endif
> { SCMP_SYS(read), 249 },
> { SCMP_SYS(brk), 248 },
> { SCMP_SYS(clone), 247 },
> @@ -36,15 +40,30 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(execve), 245 },
> { SCMP_SYS(open), 245 },
> { SCMP_SYS(ioctl), 245 },
> +#if defined(__x86_64__)
> + { SCMP_SYS(socket), 245 },
> + { SCMP_SYS(setsockopt), 245 },
> { SCMP_SYS(recvmsg), 245 },
> { SCMP_SYS(sendmsg), 245 },
> { SCMP_SYS(accept), 245 },
> { SCMP_SYS(connect), 245 },
> + { SCMP_SYS(socketpair), 245 },
> + { SCMP_SYS(bind), 245 },
> + { SCMP_SYS(listen), 245 },
> + { SCMP_SYS(semget), 245 },
> +#elif defined(__i386__)
> + { SCMP_SYS(ipc), 245 },
> +#endif
> { SCMP_SYS(gettimeofday), 245 },
> { SCMP_SYS(readlink), 245 },
> { SCMP_SYS(access), 245 },
> { SCMP_SYS(prctl), 245 },
> { SCMP_SYS(signalfd), 245 },
> + { SCMP_SYS(getrlimit), 245 },
> + { SCMP_SYS(set_tid_address), 245 },
> + { SCMP_SYS(statfs), 245 },
> + { SCMP_SYS(unlink), 245 },
> + { SCMP_SYS(wait4), 245 },
> #if defined(__i386__)
> { SCMP_SYS(fcntl64), 245 },
> { SCMP_SYS(fstat64), 245 },
> @@ -56,24 +75,26 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(sigreturn), 245 },
> { SCMP_SYS(_newselect), 245 },
> { SCMP_SYS(_llseek), 245 },
> - { SCMP_SYS(mmap2), 245},
> + { SCMP_SYS(mmap2), 245 },
> { SCMP_SYS(sigprocmask), 245 },
> -#elif defined(__x86_64__)
> - { SCMP_SYS(sched_getparam), 245},
> - { SCMP_SYS(sched_getscheduler), 245},
> - { SCMP_SYS(fstat), 245},
> - { SCMP_SYS(clock_getres), 245},
> - { SCMP_SYS(sched_get_priority_min), 245},
> - { SCMP_SYS(sched_get_priority_max), 245},
> - { SCMP_SYS(stat), 245},
> - { SCMP_SYS(socket), 245},
> - { SCMP_SYS(setsockopt), 245},
> - { SCMP_SYS(uname), 245},
> - { SCMP_SYS(semget), 245},
> #endif
> + { SCMP_SYS(sched_getparam), 245 },
> + { SCMP_SYS(sched_getscheduler), 245 },
> + { SCMP_SYS(fstat), 245 },
> + { SCMP_SYS(clock_getres), 245 },
> + { SCMP_SYS(sched_get_priority_min), 245 },
> + { SCMP_SYS(sched_get_priority_max), 245 },
> + { SCMP_SYS(stat), 245 },
> + { SCMP_SYS(uname), 245 },
> { SCMP_SYS(eventfd2), 245 },
> { SCMP_SYS(dup), 245 },
> + { SCMP_SYS(dup2), 245 },
> + { SCMP_SYS(dup3), 245 },
> { SCMP_SYS(gettid), 245 },
> + { SCMP_SYS(getgid), 245 },
> + { SCMP_SYS(getegid), 245 },
> + { SCMP_SYS(getuid), 245 },
> + { SCMP_SYS(geteuid), 245 },
> { SCMP_SYS(timer_create), 245 },
> { SCMP_SYS(exit), 245 },
> { SCMP_SYS(clock_gettime), 245 },
> @@ -93,8 +114,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(lseek), 245 },
> { SCMP_SYS(pselect6), 245 },
> { SCMP_SYS(fork), 245 },
> - { SCMP_SYS(bind), 245 },
> - { SCMP_SYS(listen), 245 },
> { SCMP_SYS(eventfd), 245 },
> { SCMP_SYS(rt_sigprocmask), 245 },
> { SCMP_SYS(write), 244 },
> @@ -104,10 +123,105 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(pipe2), 242 },
> { SCMP_SYS(munmap), 242 },
> { SCMP_SYS(mremap), 242 },
> + { SCMP_SYS(fdatasync), 242 },
> + { SCMP_SYS(close), 242 },
> + { SCMP_SYS(rt_sigpending), 242 },
> + { SCMP_SYS(rt_sigtimedwait), 242 },
> + { SCMP_SYS(readv), 242 },
> + { SCMP_SYS(writev), 242 },
> + { SCMP_SYS(preadv), 242 },
> + { SCMP_SYS(pwritev), 242 },
> + { SCMP_SYS(setrlimit), 242 },
> + { SCMP_SYS(ftruncate), 242 },
> + { SCMP_SYS(lstat), 242 },
> + { SCMP_SYS(pipe), 242 },
> + { SCMP_SYS(umask), 242 },
> + { SCMP_SYS(chdir), 242 },
> + { SCMP_SYS(setitimer), 242 },
> + { SCMP_SYS(setsid), 242 },
> + { SCMP_SYS(poll), 242 },
> +#if defined(__i386__)
> + { SCMP_SYS(waitpid), 242 },
> +#elif defined(__x86_64__)
> { SCMP_SYS(getsockname), 242 },
> { SCMP_SYS(getpeername), 242 },
> - { SCMP_SYS(fdatasync), 242 },
> - { SCMP_SYS(close), 242 }
> + { SCMP_SYS(accept4), 242 },
> + { SCMP_SYS(newfstatat), 241 },
> + { SCMP_SYS(shutdown), 241 },
> + { SCMP_SYS(getsockopt), 241 },
> + { SCMP_SYS(semctl), 241 },
> + { SCMP_SYS(semop), 241 },
> + { SCMP_SYS(semtimedop), 241 },
> +#endif
> + { SCMP_SYS(ppoll), 241 },
> + { SCMP_SYS(creat), 241 },
> + { SCMP_SYS(link), 241 },
> + { SCMP_SYS(getpid), 241 },
> + { SCMP_SYS(getppid), 241 },
> + { SCMP_SYS(getpgrp), 241 },
> + { SCMP_SYS(getpgid), 241 },
> + { SCMP_SYS(getsid), 241 },
> + { SCMP_SYS(getdents64), 241 },
> + { SCMP_SYS(getresuid), 241 },
> + { SCMP_SYS(getresgid), 241 },
> + { SCMP_SYS(getgroups), 241 },
> +#if defined(__i386__)
> + { SCMP_SYS(getresuid32), 241 },
> + { SCMP_SYS(getresgid32), 241 },
> + { SCMP_SYS(getgroups32), 241 },
> + { SCMP_SYS(signal), 241 },
> + { SCMP_SYS(sigaction), 241 },
> + { SCMP_SYS(sigsuspend), 241 },
> + { SCMP_SYS(sigpending), 241 },
> + { SCMP_SYS(truncate64), 241 },
> + { SCMP_SYS(ftruncate64), 241 },
> + { SCMP_SYS(fchown32), 241 },
> + { SCMP_SYS(chown32), 241 },
> + { SCMP_SYS(lchown32), 241 },
> + { SCMP_SYS(statfs64), 241 },
> + { SCMP_SYS(fstatfs64), 241 },
> + { SCMP_SYS(fstatat64), 241 },
> + { SCMP_SYS(lstat64), 241 },
> + { SCMP_SYS(sendfile64), 241 },
> + { SCMP_SYS(ugetrlimit), 241 },
> +#endif
> + { SCMP_SYS(alarm), 241 },
> + { SCMP_SYS(rt_sigsuspend), 241 },
> + { SCMP_SYS(rt_sigqueueinfo), 241 },
> + { SCMP_SYS(rt_tgsigqueueinfo), 241 },
> + { SCMP_SYS(sigaltstack), 241 },
> + { SCMP_SYS(signalfd4), 241 },
> + { SCMP_SYS(truncate), 241 },
> + { SCMP_SYS(fchown), 241 },
> + { SCMP_SYS(lchown), 241 },
> + { SCMP_SYS(fchownat), 241 },
> + { SCMP_SYS(fstatfs), 241 },
> + { SCMP_SYS(sendfile), 241 },
> + { SCMP_SYS(getitimer), 241 },
> + { SCMP_SYS(syncfs), 241 },
> + { SCMP_SYS(fsync), 241 },
> + { SCMP_SYS(fchdir), 241 },
> + { SCMP_SYS(flock), 241 },
> + { SCMP_SYS(msync), 241 },
> + { SCMP_SYS(sched_setparam), 241 },
> + { SCMP_SYS(sched_setscheduler), 241 },
> + { SCMP_SYS(sched_yield), 241 },
> + { SCMP_SYS(sched_rr_get_interval), 241 },
> + { SCMP_SYS(sched_setaffinity), 241 },
> + { SCMP_SYS(sched_getaffinity), 241 },
> + { SCMP_SYS(readahead), 241 },
> + { SCMP_SYS(timer_getoverrun), 241 },
> + { SCMP_SYS(unlinkat), 241 },
> + { SCMP_SYS(readlinkat), 241 },
> + { SCMP_SYS(faccessat), 241 },
> + { SCMP_SYS(get_robust_list), 241 },
> + { SCMP_SYS(splice), 241 },
> + { SCMP_SYS(vmsplice), 241 },
> + { SCMP_SYS(getcpu), 241 },
> + { SCMP_SYS(sendmmsg), 241 },
> + { SCMP_SYS(recvmmsg), 241 },
> + { SCMP_SYS(prlimit64), 241 },
> + { SCMP_SYS(waitid), 241 }
> };
>
> int seccomp_start(void)
> --
> 1.7.10.4
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult Eduardo Otubo
@ 2012-11-21 15:20 ` Andreas Färber
2012-11-27 19:01 ` Anthony Liguori
1 sibling, 0 replies; 18+ messages in thread
From: Andreas Färber @ 2012-11-21 15:20 UTC (permalink / raw)
To: Eduardo Otubo; +Cc: pmoore, coreyb, qemu-devel
Am 12.11.2012 20:48, schrieb Eduardo Otubo:
> Now the seccomp filter will be set to "on" even if no argument
> "-sandbox" is given.
>
> v3: * Introduced seccomp_states enum and new functions named
> seccomp_set_state() and seccomp_get_state()
> (pbonzini@redhat.com).
> * Merged seccomp_start() and install_seccomp_filter(),
> moved install_seccomp_filter() to qemu-seccomp.c,
> and renamed it.
> * Moved CONFIG_SECCOMP pre-processor checks from Makefile.objs
> to qemu-seccomp.c.
> * Replace qerror_report with fprintf(stderr, "..") in main()
> (lcapitulino@redhat.com).
>
> Note: This support requires libseccomp. If you don't have access
> to libseccomp packages, you can manually build with the following
> steps:
>
> 1) git clone git://git.code.sf.net/p/libseccomp/libseccomp
> 2) cd libseccomp
> 3) ./configure
> 4) make
> 5) make install
> 6) export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/"
To my understanding libseccomp specifically filters Linux syscalls, no?
Are you positive that building and enabling this by default works with
mingw32, bsd, darwin, etc. and makes sense?
Regards,
Andreas
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-21 13:20 ` [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
@ 2012-11-21 15:24 ` Paul Moore
2012-11-26 16:41 ` Corey Bryant
2012-11-21 15:30 ` Andreas Färber
1 sibling, 1 reply; 18+ messages in thread
From: Paul Moore @ 2012-11-21 15:24 UTC (permalink / raw)
To: Eduardo Otubo, coreyb; +Cc: qemu-devel
On Wednesday, November 21, 2012 11:20:44 AM Eduardo Otubo wrote:
> Hello folks,
>
> Does anyone had a chance to take a look at this? We would like to get
> this into the 1.3 release.
>
> Thanks again :)
I way a bit delayed due to travel, but I started playing with it a bit
yesterday afternoon and unfortunately it still doesn't work for me (using the
same test/reproducer I documented in the RH BZ). I've tried running QEMU both
via libvirt and the command line (using a libvirt derived command line).
I'm applying the patches to the F17 QEMU 1.2 package; there is some minor
fixup needed in the configure script but nothing major.
What is further frustrating is that the debug code (patch 5/5) doesn't seem to
output the problematic syscall. I wanted to investigate this a bit more
before responding, but with the holiday approaching (Thanksgiving in the US),
I'm not sure how much progress I'll be able to make for the remainder of this
week. Sorry about that.
If you have any further questions about how, or what, I'm testing, just ask.
--
paul moore
security and virtualization @ redhat
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-21 13:20 ` [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
2012-11-21 15:24 ` Paul Moore
@ 2012-11-21 15:30 ` Andreas Färber
1 sibling, 0 replies; 18+ messages in thread
From: Andreas Färber @ 2012-11-21 15:30 UTC (permalink / raw)
To: Eduardo Otubo; +Cc: pmoore, coreyb, qemu-devel
Hello,
Am 21.11.2012 14:20, schrieb Eduardo Otubo:
> Does anyone had a chance to take a look at this? We would like to get
> this into the 1.3 release.
We're in Hard Freeze, so in theory only bug fixes will get accepted for
v1.3. Patches intended for 1.3 should be marked "for-1.3" during this
period.
Some formal comments: Please supply a minimal cover letter for a patch
series to aid threaded display. We have been asked to not include patch
versioning in the commit message (which gets committed) but in the cover
letter or hidden below the --- line of the patches.
Regards,
Andreas
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-21 15:24 ` Paul Moore
@ 2012-11-26 16:41 ` Corey Bryant
2012-11-26 17:08 ` Paul Moore
0 siblings, 1 reply; 18+ messages in thread
From: Corey Bryant @ 2012-11-26 16:41 UTC (permalink / raw)
To: Paul Moore; +Cc: qemu-devel, Eduardo Otubo
On 11/21/2012 10:24 AM, Paul Moore wrote:
> On Wednesday, November 21, 2012 11:20:44 AM Eduardo Otubo wrote:
>> Hello folks,
>>
>> Does anyone had a chance to take a look at this? We would like to get
>> this into the 1.3 release.
>>
>> Thanks again :)
>
> I way a bit delayed due to travel, but I started playing with it a bit
> yesterday afternoon and unfortunately it still doesn't work for me (using the
> same test/reproducer I documented in the RH BZ). I've tried running QEMU both
> via libvirt and the command line (using a libvirt derived command line).
>
> I'm applying the patches to the F17 QEMU 1.2 package; there is some minor
> fixup needed in the configure script but nothing major.
>
> What is further frustrating is that the debug code (patch 5/5) doesn't seem to
> output the problematic syscall. I wanted to investigate this a bit more
> before responding, but with the holiday approaching (Thanksgiving in the US),
> I'm not sure how much progress I'll be able to make for the remainder of this
> week. Sorry about that.
>
> If you have any further questions about how, or what, I'm testing, just ask.
>
Paul, Is your host 32 or 64-bit?
--
Regards,
Corey Bryant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-26 16:41 ` Corey Bryant
@ 2012-11-26 17:08 ` Paul Moore
2012-11-26 19:59 ` Corey Bryant
0 siblings, 1 reply; 18+ messages in thread
From: Paul Moore @ 2012-11-26 17:08 UTC (permalink / raw)
To: Corey Bryant; +Cc: qemu-devel, Eduardo Otubo
On Monday, November 26, 2012 11:41:06 AM Corey Bryant wrote:
> On 11/21/2012 10:24 AM, Paul Moore wrote:
> > On Wednesday, November 21, 2012 11:20:44 AM Eduardo Otubo wrote:
> >> Hello folks,
> >>
> >> Does anyone had a chance to take a look at this? We would like to get
> >> this into the 1.3 release.
> >>
> >> Thanks again :)
> >
> > I way a bit delayed due to travel, but I started playing with it a bit
> > yesterday afternoon and unfortunately it still doesn't work for me (using
> > the same test/reproducer I documented in the RH BZ). I've tried running
> > QEMU both via libvirt and the command line (using a libvirt derived
> > command line).
> >
> > I'm applying the patches to the F17 QEMU 1.2 package; there is some minor
> > fixup needed in the configure script but nothing major.
> >
> > What is further frustrating is that the debug code (patch 5/5) doesn't
> > seem to output the problematic syscall. I wanted to investigate this a
> > bit more before responding, but with the holiday approaching
> > (Thanksgiving in the US), I'm not sure how much progress I'll be able to
> > make for the remainder of this week. Sorry about that.
> >
> > If you have any further questions about how, or what, I'm testing, just
> > ask.
>
> Paul, Is your host 32 or 64-bit?
64-bit
--
paul moore
security and virtualization @ redhat
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-26 17:08 ` Paul Moore
@ 2012-11-26 19:59 ` Corey Bryant
2012-11-26 20:41 ` Paul Moore
0 siblings, 1 reply; 18+ messages in thread
From: Corey Bryant @ 2012-11-26 19:59 UTC (permalink / raw)
To: Paul Moore; +Cc: qemu-devel, Eduardo Otubo
On 11/26/2012 12:08 PM, Paul Moore wrote:
> On Monday, November 26, 2012 11:41:06 AM Corey Bryant wrote:
>> On 11/21/2012 10:24 AM, Paul Moore wrote:
>>> On Wednesday, November 21, 2012 11:20:44 AM Eduardo Otubo wrote:
>>>> Hello folks,
>>>>
>>>> Does anyone had a chance to take a look at this? We would like to get
>>>> this into the 1.3 release.
>>>>
>>>> Thanks again :)
>>>
>>> I way a bit delayed due to travel, but I started playing with it a bit
>>> yesterday afternoon and unfortunately it still doesn't work for me (using
>>> the same test/reproducer I documented in the RH BZ). I've tried running
>>> QEMU both via libvirt and the command line (using a libvirt derived
>>> command line).
>>>
>>> I'm applying the patches to the F17 QEMU 1.2 package; there is some minor
>>> fixup needed in the configure script but nothing major.
>>>
>>> What is further frustrating is that the debug code (patch 5/5) doesn't
>>> seem to output the problematic syscall. I wanted to investigate this a
>>> bit more before responding, but with the holiday approaching
>>> (Thanksgiving in the US), I'm not sure how much progress I'll be able to
>>> make for the remainder of this week. Sorry about that.
>>>
>>> If you have any further questions about how, or what, I'm testing, just
>>> ask.
>>
>> Paul, Is your host 32 or 64-bit?
>
> 64-bit
>
I'm having trouble recreating this. I'm running a Fedora 17 64-bit host
and a Fedora 17 64-bit guest with domain XML that mirrors yours.
Here's the domain XML I'm using and the resulting QEMU command line:
Domain XML: http://pastebin.com/DWa4RQ1Y
Command line: http://pastebin.com/2QTWsUhP
I'm running with QEMU commit 8db972cfa469b4e4afd9c65e54e796b83b5ce3a2
which is 1.2.0 with: (a) just the first patch applied, as well as with
(b) all of this patch series applied.
Any thoughts on what could be different?
--
Regards,
Corey Bryant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-26 19:59 ` Corey Bryant
@ 2012-11-26 20:41 ` Paul Moore
2012-11-26 21:48 ` Paul Moore
0 siblings, 1 reply; 18+ messages in thread
From: Paul Moore @ 2012-11-26 20:41 UTC (permalink / raw)
To: Corey Bryant; +Cc: qemu-devel, Eduardo Otubo
On Monday, November 26, 2012 02:59:21 PM Corey Bryant wrote:
> On 11/26/2012 12:08 PM, Paul Moore wrote:
> > On Monday, November 26, 2012 11:41:06 AM Corey Bryant wrote:
> >> On 11/21/2012 10:24 AM, Paul Moore wrote:
> >>> On Wednesday, November 21, 2012 11:20:44 AM Eduardo Otubo wrote:
> >>>> Hello folks,
> >>>>
> >>>> Does anyone had a chance to take a look at this? We would like to get
> >>>> this into the 1.3 release.
> >>>>
> >>>> Thanks again :)
> >>>
> >>> I way a bit delayed due to travel, but I started playing with it a bit
> >>> yesterday afternoon and unfortunately it still doesn't work for me
> >>> (using the same test/reproducer I documented in the RH BZ). I've tried
> >>> running QEMU both via libvirt and the command line (using a libvirt
> >>> derived command line).
> >>>
> >>> I'm applying the patches to the F17 QEMU 1.2 package; there is some
> >>> minor fixup needed in the configure script but nothing major.
> >>>
> >>> What is further frustrating is that the debug code (patch 5/5) doesn't
> >>> seem to output the problematic syscall. I wanted to investigate this a
> >>> bit more before responding, but with the holiday approaching
> >>> (Thanksgiving in the US), I'm not sure how much progress I'll be able to
> >>> make for the remainder of this week. Sorry about that.
> >>>
> >>> If you have any further questions about how, or what, I'm testing, just
> >>> ask.
> >>
> >> Paul, Is your host 32 or 64-bit?
> >
> > 64-bit
>
> I'm having trouble recreating this. I'm running a Fedora 17 64-bit host
> and a Fedora 17 64-bit guest with domain XML that mirrors yours.
>
> Here's the domain XML I'm using and the resulting QEMU command line:
>
> Domain XML: http://pastebin.com/DWa4RQ1Y
> Command line: http://pastebin.com/2QTWsUhP
>
> I'm running with QEMU commit 8db972cfa469b4e4afd9c65e54e796b83b5ce3a2
> which is 1.2.0 with: (a) just the first patch applied, as well as with
> (b) all of this patch series applied.
>
> Any thoughts on what could be different?
Like I said earlier, I'm running with the F17 QEMU 1.2 package,
qemu-1.2.0-16.fc18 to be exact, with Eduardo's patches applied on top.
I'm currently testing another set of interim patches from Eduardo that was
sent off-list for testing (you were CC'd); hopefully that will resolve the
problem.
--
paul moore
security and virtualization @ redhat
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-26 20:41 ` Paul Moore
@ 2012-11-26 21:48 ` Paul Moore
2012-11-27 16:11 ` Corey Bryant
0 siblings, 1 reply; 18+ messages in thread
From: Paul Moore @ 2012-11-26 21:48 UTC (permalink / raw)
To: Corey Bryant, Eduardo Otubo; +Cc: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 5525 bytes --]
On Monday, November 26, 2012 03:41:00 PM Paul Moore wrote:
> On Monday, November 26, 2012 02:59:21 PM Corey Bryant wrote:
> > On 11/26/2012 12:08 PM, Paul Moore wrote:
> > > On Monday, November 26, 2012 11:41:06 AM Corey Bryant wrote:
> > >> On 11/21/2012 10:24 AM, Paul Moore wrote:
> > >>> On Wednesday, November 21, 2012 11:20:44 AM Eduardo Otubo wrote:
> > >>>> Hello folks,
> > >>>>
> > >>>> Does anyone had a chance to take a look at this? We would like to get
> > >>>> this into the 1.3 release.
> > >>>>
> > >>>> Thanks again :)
> > >>>
> > >>> I way a bit delayed due to travel, but I started playing with it a bit
> > >>> yesterday afternoon and unfortunately it still doesn't work for me
> > >>> (using the same test/reproducer I documented in the RH BZ). I've
> > >>> tried running QEMU both via libvirt and the command line (using a
> > >>> libvirt derived command line).
> > >>>
> > >>> I'm applying the patches to the F17 QEMU 1.2 package; there is some
> > >>> minor fixup needed in the configure script but nothing major.
> > >>>
> > >>> What is further frustrating is that the debug code (patch 5/5) doesn't
> > >>> seem to output the problematic syscall. I wanted to investigate this
> > >>> a bit more before responding, but with the holiday approaching
> > >>> (Thanksgiving in the US), I'm not sure how much progress I'll be able
> > >>> to make for the remainder of this week. Sorry about that.
> > >>>
> > >>> If you have any further questions about how, or what, I'm testing,
> > >>> just ask.
> > >>
> > >> Paul, Is your host 32 or 64-bit?
> > >
> > > 64-bit
> >
> > I'm having trouble recreating this. I'm running a Fedora 17 64-bit host
> > and a Fedora 17 64-bit guest with domain XML that mirrors yours.
> >
> > Here's the domain XML I'm using and the resulting QEMU command line:
> >
> > Domain XML: http://pastebin.com/DWa4RQ1Y
> > Command line: http://pastebin.com/2QTWsUhP
> >
> > I'm running with QEMU commit 8db972cfa469b4e4afd9c65e54e796b83b5ce3a2
> > which is 1.2.0 with: (a) just the first patch applied, as well as with
> > (b) all of this patch series applied.
> >
> > Any thoughts on what could be different?
>
> Like I said earlier, I'm running with the F17 QEMU 1.2 package,
> qemu-1.2.0-16.fc18 to be exact, with Eduardo's patches applied on top.
>
> I'm currently testing another set of interim patches from Eduardo that was
> sent off-list for testing (you were CC'd); hopefully that will resolve the
> problem.
Unfortunately, the latest patches from Eduardo met with the same fate. Here
is more detailed information on my system (HP DL160 G5, F17, 64-bit):
# uname -r
3.6.7-4.fc17.x86_64
[NOTE: standard F17 kernel]
# rpm -qa | grep qemu
qemu-kvm-tools-1.2.0-16.pm5.fc17.x86_64
qemu-common-1.2.0-16.pm5.fc17.x86_64
qemu-kvm-1.2.0-16.pm5.fc17.x86_64
ipxe-roms-qemu-20120328-1.gitaac9718.fc17.noarch
qemu-img-1.2.0-16.pm5.fc17.x86_64
qemu-system-x86-1.2.0-16.pm5.fc17.x86_64
[NOTE: the 'pm5' is my designation indicating the patched version]
# ./qemu_seccomp.sh -sandbox off
char device redirected to /dev/pts/0
do_spice_init: starting 0.10.1
spice_server_add_interface: SPICE_INTERFACE_MIGRATION
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
display_channel_create: create display channel
cursor_channel_create: create cursor channel
spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
spice_server_add_interface: SPICE_INTERFACE_RECORD
[NOTE: I hit Ctrl-C at this point]
qemu: terminating on signal 2
spice_server_remove_interface: remove SPICE_INTERFACE_PLAYBACK
spice_server_remove_interface: remove SPICE_INTERFACE_RECORD
# ./qemu_seccomp.sh -sandbox on
char device redirected to /dev/pts/0
do_spice_init: starting 0.10.1
spice_server_add_interface: SPICE_INTERFACE_MIGRATION
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
./qemu_seccomp.sh: line 28: 21085 Bad system call /usr/bin/qemu-kvm -S
-M pc-0.14 -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name f16-
test-1 -uuid 13c7da9b-a79a-0688-267a-8206136bc8d6 -nodefconfig -nodefaults -
chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/f16-
test-1.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control
-rtc base=utc -no-shutdown -device virtio-serial-pci,id=virtio-
serial0,bus=pci.0,addr=0x5 -device piix3-usb-
uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/f16-
test-1.img,if=none,id=drive-virtio-disk0,format=raw -device virtio-blk-
pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-
disk0,bootindex=1 -netdev user,id=hostnet0 -device virtio-net-
pci,netdev=hostnet0,id=net0,mac=52:54:00:9a:9d:63,bus=pci.0,addr=0x3 -chardev
pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev
spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-
serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -
device usb-tablet,id=input0 -spice port=5900,addr=127.0.0.1,disable-ticketing
-vga qxl -global qxl-vga.vram_size=67108864 -device intel-
hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-
codec0,bus=sound0.0,cad=0 -device virtio-balloon-
pci,id=balloon0,bus=pci.0,addr=0x7 $*
[NOTE: my test script, qemu_seccomp.sh, is attached]
--
paul moore
security and virtualization @ redhat
[-- Attachment #2: qemu_seccomp.sh --]
[-- Type: application/x-shellscript, Size: 1388 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-26 21:48 ` Paul Moore
@ 2012-11-27 16:11 ` Corey Bryant
2012-11-27 16:15 ` Paul Moore
0 siblings, 1 reply; 18+ messages in thread
From: Corey Bryant @ 2012-11-27 16:11 UTC (permalink / raw)
To: Paul Moore; +Cc: qemu-devel, Eduardo Otubo
On 11/26/2012 04:48 PM, Paul Moore wrote:
> On Monday, November 26, 2012 03:41:00 PM Paul Moore wrote:
>> On Monday, November 26, 2012 02:59:21 PM Corey Bryant wrote:
>>> On 11/26/2012 12:08 PM, Paul Moore wrote:
>>>> On Monday, November 26, 2012 11:41:06 AM Corey Bryant wrote:
>>>>> On 11/21/2012 10:24 AM, Paul Moore wrote:
>>>>>> On Wednesday, November 21, 2012 11:20:44 AM Eduardo Otubo wrote:
>>>>>>> Hello folks,
>>>>>>>
>>>>>>> Does anyone had a chance to take a look at this? We would like to get
>>>>>>> this into the 1.3 release.
>>>>>>>
>>>>>>> Thanks again :)
>>>>>>
>>>>>> I way a bit delayed due to travel, but I started playing with it a bit
>>>>>> yesterday afternoon and unfortunately it still doesn't work for me
>>>>>> (using the same test/reproducer I documented in the RH BZ). I've
>>>>>> tried running QEMU both via libvirt and the command line (using a
>>>>>> libvirt derived command line).
>>>>>>
>>>>>> I'm applying the patches to the F17 QEMU 1.2 package; there is some
>>>>>> minor fixup needed in the configure script but nothing major.
>>>>>>
>>>>>> What is further frustrating is that the debug code (patch 5/5) doesn't
>>>>>> seem to output the problematic syscall. I wanted to investigate this
>>>>>> a bit more before responding, but with the holiday approaching
>>>>>> (Thanksgiving in the US), I'm not sure how much progress I'll be able
>>>>>> to make for the remainder of this week. Sorry about that.
>>>>>>
>>>>>> If you have any further questions about how, or what, I'm testing,
>>>>>> just ask.
>>>>>
>>>>> Paul, Is your host 32 or 64-bit?
>>>>
>>>> 64-bit
>>>
>>> I'm having trouble recreating this. I'm running a Fedora 17 64-bit host
>>> and a Fedora 17 64-bit guest with domain XML that mirrors yours.
>>>
>>> Here's the domain XML I'm using and the resulting QEMU command line:
>>>
>>> Domain XML: http://pastebin.com/DWa4RQ1Y
>>> Command line: http://pastebin.com/2QTWsUhP
>>>
>>> I'm running with QEMU commit 8db972cfa469b4e4afd9c65e54e796b83b5ce3a2
>>> which is 1.2.0 with: (a) just the first patch applied, as well as with
>>> (b) all of this patch series applied.
>>>
>>> Any thoughts on what could be different?
>>
>> Like I said earlier, I'm running with the F17 QEMU 1.2 package,
>> qemu-1.2.0-16.fc18 to be exact, with Eduardo's patches applied on top.
>>
>> I'm currently testing another set of interim patches from Eduardo that was
>> sent off-list for testing (you were CC'd); hopefully that will resolve the
>> problem.
>
> Unfortunately, the latest patches from Eduardo met with the same fate. Here
> is more detailed information on my system (HP DL160 G5, F17, 64-bit):
>
> # uname -r
> 3.6.7-4.fc17.x86_64
>
> [NOTE: standard F17 kernel]
>
> # rpm -qa | grep qemu
> qemu-kvm-tools-1.2.0-16.pm5.fc17.x86_64
> qemu-common-1.2.0-16.pm5.fc17.x86_64
> qemu-kvm-1.2.0-16.pm5.fc17.x86_64
> ipxe-roms-qemu-20120328-1.gitaac9718.fc17.noarch
> qemu-img-1.2.0-16.pm5.fc17.x86_64
> qemu-system-x86-1.2.0-16.pm5.fc17.x86_64
>
> [NOTE: the 'pm5' is my designation indicating the patched version]
>
> # ./qemu_seccomp.sh -sandbox off
> char device redirected to /dev/pts/0
> do_spice_init: starting 0.10.1
> spice_server_add_interface: SPICE_INTERFACE_MIGRATION
> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
> spice_server_add_interface: SPICE_INTERFACE_MOUSE
> spice_server_add_interface: SPICE_INTERFACE_QXL
> red_worker_main: begin
> display_channel_create: create display channel
> cursor_channel_create: create cursor channel
> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
> spice_server_add_interface: SPICE_INTERFACE_RECORD
> [NOTE: I hit Ctrl-C at this point]
> qemu: terminating on signal 2
> spice_server_remove_interface: remove SPICE_INTERFACE_PLAYBACK
> spice_server_remove_interface: remove SPICE_INTERFACE_RECORD
>
> # ./qemu_seccomp.sh -sandbox on
> char device redirected to /dev/pts/0
> do_spice_init: starting 0.10.1
> spice_server_add_interface: SPICE_INTERFACE_MIGRATION
> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
> spice_server_add_interface: SPICE_INTERFACE_MOUSE
> spice_server_add_interface: SPICE_INTERFACE_QXL
> red_worker_main: begin
> ./qemu_seccomp.sh: line 28: 21085 Bad system call /usr/bin/qemu-kvm -S
> -M pc-0.14 -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name f16-
> test-1 -uuid 13c7da9b-a79a-0688-267a-8206136bc8d6 -nodefconfig -nodefaults -
> chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/f16-
> test-1.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control
> -rtc base=utc -no-shutdown -device virtio-serial-pci,id=virtio-
> serial0,bus=pci.0,addr=0x5 -device piix3-usb-
> uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/f16-
> test-1.img,if=none,id=drive-virtio-disk0,format=raw -device virtio-blk-
> pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-
> disk0,bootindex=1 -netdev user,id=hostnet0 -device virtio-net-
> pci,netdev=hostnet0,id=net0,mac=52:54:00:9a:9d:63,bus=pci.0,addr=0x3 -chardev
> pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev
> spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-
> serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -
> device usb-tablet,id=input0 -spice port=5900,addr=127.0.0.1,disable-ticketing
> -vga qxl -global qxl-vga.vram_size=67108864 -device intel-
> hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-
> codec0,bus=sound0.0,cad=0 -device virtio-balloon-
> pci,id=balloon0,bus=pci.0,addr=0x7 $*
>
> [NOTE: my test script, qemu_seccomp.sh, is attached]
>
Thanks for the additional details. They were very useful. I was able
to reproduce this when I manually built spice release 0.10.1, but not
with the Fedora 0.10.1 package. One difference I noticed is that the
Fedora version wasn't logging info messages.
Nonetheless, we'll send new patches soon. It looks like the following
were missing: epoll_create, epoll_wait, and epoll_ctl
--
Regards,
Corey Bryant
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162)
2012-11-27 16:11 ` Corey Bryant
@ 2012-11-27 16:15 ` Paul Moore
0 siblings, 0 replies; 18+ messages in thread
From: Paul Moore @ 2012-11-27 16:15 UTC (permalink / raw)
To: Corey Bryant, Eduardo Otubo; +Cc: qemu-devel
On Tuesday, November 27, 2012 11:11:32 AM Corey Bryant wrote:
> Thanks for the additional details. They were very useful. I was able
> to reproduce this when I manually built spice release 0.10.1, but not
> with the Fedora 0.10.1 package. One difference I noticed is that the
> Fedora version wasn't logging info messages.
>
> Nonetheless, we'll send new patches soon. It looks like the following
> were missing: epoll_create, epoll_wait, and epoll_ctl
Great, glad to hear my test system wasn't just being stubborn :)
I'll re-test as soon as I see the patches.
--
paul moore
security and virtualization @ redhat
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult Eduardo Otubo
2012-11-21 15:20 ` Andreas Färber
@ 2012-11-27 19:01 ` Anthony Liguori
2012-11-27 19:07 ` Corey Bryant
1 sibling, 1 reply; 18+ messages in thread
From: Anthony Liguori @ 2012-11-27 19:01 UTC (permalink / raw)
To: Eduardo Otubo, qemu-devel; +Cc: pmoore, coreyb
Eduardo Otubo <otubo@linux.vnet.ibm.com> writes:
> Now the seccomp filter will be set to "on" even if no argument
> "-sandbox" is given.
>
> v3: * Introduced seccomp_states enum and new functions named
> seccomp_set_state() and seccomp_get_state()
> (pbonzini@redhat.com).
> * Merged seccomp_start() and install_seccomp_filter(),
> moved install_seccomp_filter() to qemu-seccomp.c,
> and renamed it.
> * Moved CONFIG_SECCOMP pre-processor checks from Makefile.objs
> to qemu-seccomp.c.
> * Replace qerror_report with fprintf(stderr, "..") in main()
> (lcapitulino@redhat.com).
There's no way this can go for 1.3. Can we just do 1/5 to fix the
libvirt problem for 1.3, and leave the rest for 1.4?
Regards,
Anthony Liguori
>
> Note: This support requires libseccomp. If you don't have access
> to libseccomp packages, you can manually build with the following
> steps:
>
> 1) git clone git://git.code.sf.net/p/libseccomp/libseccomp
> 2) cd libseccomp
> 3) ./configure
> 4) make
> 5) make install
> 6) export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/"
>
> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
> ---
> Makefile.objs | 2 --
> configure | 2 +-
> qemu-seccomp.c | 26 ++++++++++++++++++++++++--
> qemu-seccomp.h | 13 +++++++++++--
> vl.c | 31 ++++++++++++++++---------------
> 5 files changed, 52 insertions(+), 22 deletions(-)
>
> diff --git a/Makefile.objs b/Makefile.objs
> index 593a592..682b1e6 100644
> --- a/Makefile.objs
> +++ b/Makefile.objs
> @@ -103,9 +103,7 @@ common-obj-$(CONFIG_SLIRP) += slirp/
>
> ######################################################################
> # libseccomp
> -ifeq ($(CONFIG_SECCOMP),y)
> common-obj-y += qemu-seccomp.o
> -endif
>
> ######################################################################
> # libuser
> diff --git a/configure b/configure
> index 7290f50..d28f8d5 100755
> --- a/configure
> +++ b/configure
> @@ -221,7 +221,7 @@ guest_agent="yes"
> want_tools="yes"
> libiscsi=""
> coroutine=""
> -seccomp=""
> +seccomp="yes"
> glusterfs=""
>
> # parse CC options first
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index b06a2c6..2386996 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -12,10 +12,28 @@
> * Contributions after 2012-01-13 are licensed under the terms of the
> * GNU GPL, version 2 or (at your option) any later version.
> */
> +#include "config-host.h"
> #include <stdio.h>
> -#include <seccomp.h>
> +#include "osdep.h"
> #include "qemu-seccomp.h"
>
> +#ifdef CONFIG_SECCOMP
> +int seccomp_state = SECCOMP_ON;
> +#else
> +int seccomp_state = SECCOMP_OFF;
> +#endif
> +
> +void seccomp_set_state(int state)
> +{
> + seccomp_state = state;
> +}
> +
> +int seccomp_get_state(void)
> +{
> + return seccomp_state;
> +}
> +
> +#ifdef CONFIG_SECCOMP
> struct QemuSeccompSyscall {
> int32_t num;
> uint8_t priority;
> @@ -223,15 +241,18 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
> { SCMP_SYS(prlimit64), 241 },
> { SCMP_SYS(waitid), 241 }
> };
> +#endif
>
> -int seccomp_start(void)
> +int seccomp_install_filter(void)
> {
> int rc = 0;
> +#ifdef CONFIG_SECCOMP
> unsigned int i = 0;
> scmp_filter_ctx ctx;
>
> ctx = seccomp_init(SCMP_ACT_KILL);
> if (ctx == NULL) {
> + rc = -1;
> goto seccomp_return;
> }
>
> @@ -251,5 +272,6 @@ int seccomp_start(void)
>
> seccomp_return:
> seccomp_release(ctx);
> +#endif
> return rc;
> }
> diff --git a/qemu-seccomp.h b/qemu-seccomp.h
> index b2fc3f8..fa26d70 100644
> --- a/qemu-seccomp.h
> +++ b/qemu-seccomp.h
> @@ -15,8 +15,17 @@
> #ifndef QEMU_SECCOMP_H
> #define QEMU_SECCOMP_H
>
> +#ifdef CONFIG_SECCOMP
> #include <seccomp.h>
> -#include "osdep.h"
> +#endif
> +
> +enum seccomp_states {
> + SECCOMP_OFF,
> + SECCOMP_ON
> +};
> +
> +void seccomp_set_state(int);
> +int seccomp_get_state(void);
> +int seccomp_install_filter(void);
>
> -int seccomp_start(void);
> #endif
> diff --git a/vl.c b/vl.c
> index 4f03a72..cb3d85e 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -64,9 +64,7 @@
> #include <linux/parport.h>
> #endif
>
> -#ifdef CONFIG_SECCOMP
> #include "qemu-seccomp.h"
> -#endif
>
> #ifdef __sun__
> #include <sys/stat.h>
> @@ -772,22 +770,17 @@ static int bt_parse(const char *opt)
>
> static int parse_sandbox(QemuOpts *opts, void *opaque)
> {
> - /* FIXME: change this to true for 1.3 */
> - if (qemu_opt_get_bool(opts, "enable", false)) {
> #ifdef CONFIG_SECCOMP
> - if (seccomp_start() < 0) {
> - qerror_report(ERROR_CLASS_GENERIC_ERROR,
> - "failed to install seccomp syscall filter in the kernel");
> - return -1;
> - }
> -#else
> - qerror_report(ERROR_CLASS_GENERIC_ERROR,
> - "sandboxing request but seccomp is not compiled into this build");
> - return -1;
> -#endif
> + /* seccomp sandboxing is on by default */
> + if (!qemu_opt_get_bool(opts, "enable", true)) {
> + seccomp_set_state(SECCOMP_OFF);
> }
> -
> return 0;
> +#else
> + fprintf(stderr, "sandbox option specified but seccomp is not compiled "
> + "into this build\n");
> + return -1;
> +#endif
> }
>
> /*********QEMU USB setting******/
> @@ -3489,6 +3482,14 @@ int main(int argc, char **argv, char **envp)
> exit(1);
> }
>
> + if (seccomp_get_state() == SECCOMP_ON) {
> + if (seccomp_install_filter() < 0) {
> + fprintf(stderr, "failed to install seccomp syscall "
> + "initialization filter\n");
> + exit(1);
> + }
> + }
> +
> #ifndef _WIN32
> if (qemu_opts_foreach(qemu_find_opts("add-fd"), parse_add_fd, NULL, 1)) {
> exit(1);
> --
> 1.7.10.4
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult
2012-11-27 19:01 ` Anthony Liguori
@ 2012-11-27 19:07 ` Corey Bryant
0 siblings, 0 replies; 18+ messages in thread
From: Corey Bryant @ 2012-11-27 19:07 UTC (permalink / raw)
To: Anthony Liguori; +Cc: pmoore, qemu-devel, Eduardo Otubo
On 11/27/2012 02:01 PM, Anthony Liguori wrote:
> Eduardo Otubo <otubo@linux.vnet.ibm.com> writes:
>
>> Now the seccomp filter will be set to "on" even if no argument
>> "-sandbox" is given.
>>
>> v3: * Introduced seccomp_states enum and new functions named
>> seccomp_set_state() and seccomp_get_state()
>> (pbonzini@redhat.com).
>> * Merged seccomp_start() and install_seccomp_filter(),
>> moved install_seccomp_filter() to qemu-seccomp.c,
>> and renamed it.
>> * Moved CONFIG_SECCOMP pre-processor checks from Makefile.objs
>> to qemu-seccomp.c.
>> * Replace qerror_report with fprintf(stderr, "..") in main()
>> (lcapitulino@redhat.com).
>
> There's no way this can go for 1.3. Can we just do 1/5 to fix the
> libvirt problem for 1.3, and leave the rest for 1.4?
>
> Regards,
>
> Anthony Liguori
>
Unfortunately I think that's our only option at this point. I believe
we've determined the syscalls to add to patch 1/5 to fix the issue Paul
was hitting. (They are syscalls that are being called in spice server
code.) Eduardo will be submitting a new patch soon.
--
Regards,
Corey Bryant
>>
>> Note: This support requires libseccomp. If you don't have access
>> to libseccomp packages, you can manually build with the following
>> steps:
>>
>> 1) git clone git://git.code.sf.net/p/libseccomp/libseccomp
>> 2) cd libseccomp
>> 3) ./configure
>> 4) make
>> 5) make install
>> 6) export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig/"
>>
>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
>> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
>> ---
>> Makefile.objs | 2 --
>> configure | 2 +-
>> qemu-seccomp.c | 26 ++++++++++++++++++++++++--
>> qemu-seccomp.h | 13 +++++++++++--
>> vl.c | 31 ++++++++++++++++---------------
>> 5 files changed, 52 insertions(+), 22 deletions(-)
>>
>> diff --git a/Makefile.objs b/Makefile.objs
>> index 593a592..682b1e6 100644
>> --- a/Makefile.objs
>> +++ b/Makefile.objs
>> @@ -103,9 +103,7 @@ common-obj-$(CONFIG_SLIRP) += slirp/
>>
>> ######################################################################
>> # libseccomp
>> -ifeq ($(CONFIG_SECCOMP),y)
>> common-obj-y += qemu-seccomp.o
>> -endif
>>
>> ######################################################################
>> # libuser
>> diff --git a/configure b/configure
>> index 7290f50..d28f8d5 100755
>> --- a/configure
>> +++ b/configure
>> @@ -221,7 +221,7 @@ guest_agent="yes"
>> want_tools="yes"
>> libiscsi=""
>> coroutine=""
>> -seccomp=""
>> +seccomp="yes"
>> glusterfs=""
>>
>> # parse CC options first
>> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
>> index b06a2c6..2386996 100644
>> --- a/qemu-seccomp.c
>> +++ b/qemu-seccomp.c
>> @@ -12,10 +12,28 @@
>> * Contributions after 2012-01-13 are licensed under the terms of the
>> * GNU GPL, version 2 or (at your option) any later version.
>> */
>> +#include "config-host.h"
>> #include <stdio.h>
>> -#include <seccomp.h>
>> +#include "osdep.h"
>> #include "qemu-seccomp.h"
>>
>> +#ifdef CONFIG_SECCOMP
>> +int seccomp_state = SECCOMP_ON;
>> +#else
>> +int seccomp_state = SECCOMP_OFF;
>> +#endif
>> +
>> +void seccomp_set_state(int state)
>> +{
>> + seccomp_state = state;
>> +}
>> +
>> +int seccomp_get_state(void)
>> +{
>> + return seccomp_state;
>> +}
>> +
>> +#ifdef CONFIG_SECCOMP
>> struct QemuSeccompSyscall {
>> int32_t num;
>> uint8_t priority;
>> @@ -223,15 +241,18 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
>> { SCMP_SYS(prlimit64), 241 },
>> { SCMP_SYS(waitid), 241 }
>> };
>> +#endif
>>
>> -int seccomp_start(void)
>> +int seccomp_install_filter(void)
>> {
>> int rc = 0;
>> +#ifdef CONFIG_SECCOMP
>> unsigned int i = 0;
>> scmp_filter_ctx ctx;
>>
>> ctx = seccomp_init(SCMP_ACT_KILL);
>> if (ctx == NULL) {
>> + rc = -1;
>> goto seccomp_return;
>> }
>>
>> @@ -251,5 +272,6 @@ int seccomp_start(void)
>>
>> seccomp_return:
>> seccomp_release(ctx);
>> +#endif
>> return rc;
>> }
>> diff --git a/qemu-seccomp.h b/qemu-seccomp.h
>> index b2fc3f8..fa26d70 100644
>> --- a/qemu-seccomp.h
>> +++ b/qemu-seccomp.h
>> @@ -15,8 +15,17 @@
>> #ifndef QEMU_SECCOMP_H
>> #define QEMU_SECCOMP_H
>>
>> +#ifdef CONFIG_SECCOMP
>> #include <seccomp.h>
>> -#include "osdep.h"
>> +#endif
>> +
>> +enum seccomp_states {
>> + SECCOMP_OFF,
>> + SECCOMP_ON
>> +};
>> +
>> +void seccomp_set_state(int);
>> +int seccomp_get_state(void);
>> +int seccomp_install_filter(void);
>>
>> -int seccomp_start(void);
>> #endif
>> diff --git a/vl.c b/vl.c
>> index 4f03a72..cb3d85e 100644
>> --- a/vl.c
>> +++ b/vl.c
>> @@ -64,9 +64,7 @@
>> #include <linux/parport.h>
>> #endif
>>
>> -#ifdef CONFIG_SECCOMP
>> #include "qemu-seccomp.h"
>> -#endif
>>
>> #ifdef __sun__
>> #include <sys/stat.h>
>> @@ -772,22 +770,17 @@ static int bt_parse(const char *opt)
>>
>> static int parse_sandbox(QemuOpts *opts, void *opaque)
>> {
>> - /* FIXME: change this to true for 1.3 */
>> - if (qemu_opt_get_bool(opts, "enable", false)) {
>> #ifdef CONFIG_SECCOMP
>> - if (seccomp_start() < 0) {
>> - qerror_report(ERROR_CLASS_GENERIC_ERROR,
>> - "failed to install seccomp syscall filter in the kernel");
>> - return -1;
>> - }
>> -#else
>> - qerror_report(ERROR_CLASS_GENERIC_ERROR,
>> - "sandboxing request but seccomp is not compiled into this build");
>> - return -1;
>> -#endif
>> + /* seccomp sandboxing is on by default */
>> + if (!qemu_opt_get_bool(opts, "enable", true)) {
>> + seccomp_set_state(SECCOMP_OFF);
>> }
>> -
>> return 0;
>> +#else
>> + fprintf(stderr, "sandbox option specified but seccomp is not compiled "
>> + "into this build\n");
>> + return -1;
>> +#endif
>> }
>>
>> /*********QEMU USB setting******/
>> @@ -3489,6 +3482,14 @@ int main(int argc, char **argv, char **envp)
>> exit(1);
>> }
>>
>> + if (seccomp_get_state() == SECCOMP_ON) {
>> + if (seccomp_install_filter() < 0) {
>> + fprintf(stderr, "failed to install seccomp syscall "
>> + "initialization filter\n");
>> + exit(1);
>> + }
>> + }
>> +
>> #ifndef _WIN32
>> if (qemu_opts_foreach(qemu_find_opts("add-fd"), parse_add_fd, NULL, 1)) {
>> exit(1);
>> --
>> 1.7.10.4
>
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2012-11-27 19:08 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-12 19:48 [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 2/5] seccomp: setting "-sandbox on" as deafult Eduardo Otubo
2012-11-21 15:20 ` Andreas Färber
2012-11-27 19:01 ` Anthony Liguori
2012-11-27 19:07 ` Corey Bryant
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 3/5] net: Disallow device hotplug that causes execve() Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 4/5] seccomp: double whitelist support Eduardo Otubo
2012-11-12 19:48 ` [Qemu-devel] [PATCHv3 5/5] seccomp: adding debug mode Eduardo Otubo
2012-11-21 13:20 ` [Qemu-devel] [PATCHv3 1/5] seccomp: adding new syscalls (bugzilla 855162) Eduardo Otubo
2012-11-21 15:24 ` Paul Moore
2012-11-26 16:41 ` Corey Bryant
2012-11-26 17:08 ` Paul Moore
2012-11-26 19:59 ` Corey Bryant
2012-11-26 20:41 ` Paul Moore
2012-11-26 21:48 ` Paul Moore
2012-11-27 16:11 ` Corey Bryant
2012-11-27 16:15 ` Paul Moore
2012-11-21 15:30 ` Andreas Färber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).