[Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6
@ 2013-07-22 18:33 Eduardo Otubo
  2013-07-22 18:33 ` [Qemu-devel] [PATCHv3 1/2] seccomp: no need to check arch in syscall whitelist Eduardo Otubo
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Eduardo Otubo @ 2013-07-22 18:33 UTC (permalink / raw)
  To: qemu-devel; +Cc: pmoore, pbonzini, coreyb, Eduardo Otubo

In this small patch series I basically:

  v3 update:
  - reincluded getrlimit(), it's used by Xen.

  v2 update:
  - set libseccomp 2.1.0 as requirement on configure script.
  - reincluded setrlimit() (used by Xen) and removed sendfile64() from
    the whitelist.

  1) Remove the ifdef's for the (not so) new libseccomp version that does a
  best effort and translates x86_32 syscalls into x86_64 when possible.

  2) Remove unused syscalls on the seccomp whitelist. For that removal, I've been
  running several instances of Qemu using a script written on top of
  virt-test[0]. After some weeks testing I could come up with this small list,
  and safely remove them without breaking anything.

[0] - https://github.com/autotest/virt-test/wiki

Eduardo Otubo (2):
  seccomp: no need to check arch in syscall whitelist
  seccomp: removing unused syscalls gtom whitelist

 configure      |  2 +-
 qemu-seccomp.c | 17 -----------------
 2 files changed, 1 insertion(+), 18 deletions(-)

-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Qemu-devel] [PATCHv3 1/2] seccomp: no need to check arch in syscall whitelist
  2013-07-22 18:33 [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Eduardo Otubo
@ 2013-07-22 18:33 ` Eduardo Otubo
  2013-07-22 18:33 ` [Qemu-devel] [PATCH 2/2] seccomp: removing unused syscalls gtom whitelist Eduardo Otubo
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Eduardo Otubo @ 2013-07-22 18:33 UTC (permalink / raw)
  To: qemu-devel; +Cc: pmoore, pbonzini, coreyb, Eduardo Otubo

v2 update:
- set libseccomp 2.1.0 as requirement on configure script.

Since libseccomp 2.0 there's no need to check the architecture type
anymore.

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 configure      |  2 +-
 qemu-seccomp.c | 13 -------------
 2 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/configure b/configure
index 7c45db2..ed595e4 100755
--- a/configure
+++ b/configure
@@ -1475,7 +1475,7 @@ libs_softmmu="$libs_softmmu -lz"
 # libseccomp check
 
 if test "$seccomp" != "no" ; then
-    if $pkg_config --atleast-version=1.0.0 libseccomp --modversion >/dev/null 2>&1; then
+    if $pkg_config --atleast-version=2.1.0 libseccomp --modversion >/dev/null 2>&1; then
         libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
         QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
 	seccomp="yes"
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index ca123bf..1d5fd71 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -26,12 +26,9 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(timer_gettime), 254 },
     { SCMP_SYS(futex), 253 },
     { SCMP_SYS(select), 252 },
-#if defined(__x86_64__)
     { SCMP_SYS(recvfrom), 251 },
     { SCMP_SYS(sendto), 250 },
-#elif defined(__i386__)
     { SCMP_SYS(socketcall), 250 },
-#endif
     { SCMP_SYS(read), 249 },
     { SCMP_SYS(brk), 248 },
     { SCMP_SYS(clone), 247 },
@@ -40,7 +37,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(execve), 245 },
     { SCMP_SYS(open), 245 },
     { SCMP_SYS(ioctl), 245 },
-#if defined(__x86_64__)
     { SCMP_SYS(socket), 245 },
     { SCMP_SYS(setsockopt), 245 },
     { SCMP_SYS(recvmsg), 245 },
@@ -51,9 +47,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(bind), 245 },
     { SCMP_SYS(listen), 245 },
     { SCMP_SYS(semget), 245 },
-#elif defined(__i386__)
     { SCMP_SYS(ipc), 245 },
-#endif
     { SCMP_SYS(gettimeofday), 245 },
     { SCMP_SYS(readlink), 245 },
     { SCMP_SYS(access), 245 },
@@ -64,7 +58,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(statfs), 245 },
     { SCMP_SYS(unlink), 245 },
     { SCMP_SYS(wait4), 245 },
-#if defined(__i386__)
     { SCMP_SYS(fcntl64), 245 },
     { SCMP_SYS(fstat64), 245 },
     { SCMP_SYS(stat64), 245 },
@@ -77,7 +70,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(_llseek), 245 },
     { SCMP_SYS(mmap2), 245 },
     { SCMP_SYS(sigprocmask), 245 },
-#endif
     { SCMP_SYS(sched_getparam), 245 },
     { SCMP_SYS(sched_getscheduler), 245 },
     { SCMP_SYS(fstat), 245 },
@@ -145,9 +137,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(epoll_create), 242 },
     { SCMP_SYS(epoll_ctl), 242 },
     { SCMP_SYS(epoll_wait), 242 },
-#if defined(__i386__)
     { SCMP_SYS(waitpid), 242 },
-#elif defined(__x86_64__)
     { SCMP_SYS(getsockname), 242 },
     { SCMP_SYS(getpeername), 242 },
     { SCMP_SYS(accept4), 242 },
@@ -159,7 +149,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(semtimedop), 241 },
     { SCMP_SYS(epoll_ctl_old), 241 },
     { SCMP_SYS(epoll_wait_old), 241 },
-#endif
     { SCMP_SYS(epoll_pwait), 241 },
     { SCMP_SYS(epoll_create1), 241 },
     { SCMP_SYS(ppoll), 241 },
@@ -174,7 +163,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(getresuid), 241 },
     { SCMP_SYS(getresgid), 241 },
     { SCMP_SYS(getgroups), 241 },
-#if defined(__i386__)
     { SCMP_SYS(getresuid32), 241 },
     { SCMP_SYS(getresgid32), 241 },
     { SCMP_SYS(getgroups32), 241 },
@@ -193,7 +181,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(lstat64), 241 },
     { SCMP_SYS(sendfile64), 241 },
     { SCMP_SYS(ugetrlimit), 241 },
-#endif
     { SCMP_SYS(alarm), 241 },
     { SCMP_SYS(rt_sigsuspend), 241 },
     { SCMP_SYS(rt_sigqueueinfo), 241 },
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [Qemu-devel] [PATCH 2/2] seccomp: removing unused syscalls gtom whitelist
  2013-07-22 18:33 [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Eduardo Otubo
  2013-07-22 18:33 ` [Qemu-devel] [PATCHv3 1/2] seccomp: no need to check arch in syscall whitelist Eduardo Otubo
@ 2013-07-22 18:33 ` Eduardo Otubo
  2013-07-23  7:43 ` [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Paolo Bonzini
  2013-07-29 20:24 ` Anthony Liguori
  3 siblings, 0 replies; 6+ messages in thread
From: Eduardo Otubo @ 2013-07-22 18:33 UTC (permalink / raw)
  To: qemu-devel; +Cc: pmoore, pbonzini, coreyb, Eduardo Otubo

v3 update:
 - reincluding getrlimit(), it is used by Xen.

v2 update:
 - reincluding setrlimit(), it is used by Xen.

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 qemu-seccomp.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 1d5fd71..3298de8 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -108,7 +108,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(lseek), 245 },
     { SCMP_SYS(pselect6), 245 },
     { SCMP_SYS(fork), 245 },
-    { SCMP_SYS(eventfd), 245 },
     { SCMP_SYS(rt_sigprocmask), 245 },
     { SCMP_SYS(write), 244 },
     { SCMP_SYS(fcntl), 243 },
@@ -144,7 +143,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(newfstatat), 241 },
     { SCMP_SYS(shutdown), 241 },
     { SCMP_SYS(getsockopt), 241 },
-    { SCMP_SYS(semctl), 241 },
     { SCMP_SYS(semop), 241 },
     { SCMP_SYS(semtimedop), 241 },
     { SCMP_SYS(epoll_ctl_old), 241 },
@@ -192,12 +190,10 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(lchown), 241 },
     { SCMP_SYS(fchownat), 241 },
     { SCMP_SYS(fstatfs), 241 },
-    { SCMP_SYS(sendfile), 241 },
     { SCMP_SYS(getitimer), 241 },
     { SCMP_SYS(syncfs), 241 },
     { SCMP_SYS(fsync), 241 },
     { SCMP_SYS(fchdir), 241 },
-    { SCMP_SYS(flock), 241 },
     { SCMP_SYS(msync), 241 },
     { SCMP_SYS(sched_setparam), 241 },
     { SCMP_SYS(sched_setscheduler), 241 },
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6
  2013-07-22 18:33 [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Eduardo Otubo
  2013-07-22 18:33 ` [Qemu-devel] [PATCHv3 1/2] seccomp: no need to check arch in syscall whitelist Eduardo Otubo
  2013-07-22 18:33 ` [Qemu-devel] [PATCH 2/2] seccomp: removing unused syscalls gtom whitelist Eduardo Otubo
@ 2013-07-23  7:43 ` Paolo Bonzini
  2013-07-26 20:44   ` Eduardo Otubo
  2013-07-29 20:24 ` Anthony Liguori
  3 siblings, 1 reply; 6+ messages in thread
From: Paolo Bonzini @ 2013-07-23  7:43 UTC (permalink / raw)
  To: Eduardo Otubo; +Cc: pmoore, coreyb, qemu-devel

Il 22/07/2013 20:33, Eduardo Otubo ha scritto:
> In this small patch series I basically:
> 
>   v3 update:
>   - reincluded getrlimit(), it's used by Xen.
> 
>   v2 update:
>   - set libseccomp 2.1.0 as requirement on configure script.
>   - reincluded setrlimit() (used by Xen) and removed sendfile64() from
>     the whitelist.
> 
>   1) Remove the ifdef's for the (not so) new libseccomp version that does a
>   best effort and translates x86_32 syscalls into x86_64 when possible.
> 
>   2) Remove unused syscalls on the seccomp whitelist. For that removal, I've been
>   running several instances of Qemu using a script written on top of
>   virt-test[0]. After some weeks testing I could come up with this small list,
>   and safely remove them without breaking anything.
> 
> [0] - https://github.com/autotest/virt-test/wiki
> 
> Eduardo Otubo (2):
>   seccomp: no need to check arch in syscall whitelist
>   seccomp: removing unused syscalls gtom whitelist
> 
>  configure      |  2 +-
>  qemu-seccomp.c | 17 -----------------
>  2 files changed, 1 insertion(+), 18 deletions(-)
> 

Looks good.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>

Paolo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6
  2013-07-23  7:43 ` [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Paolo Bonzini
@ 2013-07-26 20:44   ` Eduardo Otubo
  0 siblings, 0 replies; 6+ messages in thread
From: Eduardo Otubo @ 2013-07-26 20:44 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: pmoore, coreyb, qemu-devel, Anthony Liguori

Any chance to get it pushed for 1.6? Thanks.

On 07/23/2013 04:43 AM, Paolo Bonzini wrote:
> Il 22/07/2013 20:33, Eduardo Otubo ha scritto:
>> In this small patch series I basically:
>>
>>    v3 update:
>>    - reincluded getrlimit(), it's used by Xen.
>>
>>    v2 update:
>>    - set libseccomp 2.1.0 as requirement on configure script.
>>    - reincluded setrlimit() (used by Xen) and removed sendfile64() from
>>      the whitelist.
>>
>>    1) Remove the ifdef's for the (not so) new libseccomp version that does a
>>    best effort and translates x86_32 syscalls into x86_64 when possible.
>>
>>    2) Remove unused syscalls on the seccomp whitelist. For that removal, I've been
>>    running several instances of Qemu using a script written on top of
>>    virt-test[0]. After some weeks testing I could come up with this small list,
>>    and safely remove them without breaking anything.
>>
>> [0] - https://github.com/autotest/virt-test/wiki
>>
>> Eduardo Otubo (2):
>>    seccomp: no need to check arch in syscall whitelist
>>    seccomp: removing unused syscalls gtom whitelist
>>
>>   configure      |  2 +-
>>   qemu-seccomp.c | 17 -----------------
>>   2 files changed, 1 insertion(+), 18 deletions(-)
>>
>
> Looks good.
>
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
>
> Paolo
>

-- 
Eduardo Otubo
IBM Linux Technology Center

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6
  2013-07-22 18:33 [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Eduardo Otubo
                   ` (2 preceding siblings ...)
  2013-07-23  7:43 ` [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Paolo Bonzini
@ 2013-07-29 20:24 ` Anthony Liguori
  3 siblings, 0 replies; 6+ messages in thread
From: Anthony Liguori @ 2013-07-29 20:24 UTC (permalink / raw)
  To: Eduardo Otubo, qemu-devel; +Cc: coreyb, pmoore, Anthony Liguori

Applied.  Thanks.

Regards,

Anthony Liguori

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2013-07-29 20:24 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-22 18:33 [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Eduardo Otubo
2013-07-22 18:33 ` [Qemu-devel] [PATCHv3 1/2] seccomp: no need to check arch in syscall whitelist Eduardo Otubo
2013-07-22 18:33 ` [Qemu-devel] [PATCH 2/2] seccomp: removing unused syscalls gtom whitelist Eduardo Otubo
2013-07-23  7:43 ` [Qemu-devel] [PATCHv3 0/2] seccomp: remove unused syscalls - for 1.6 Paolo Bonzini
2013-07-26 20:44   ` Eduardo Otubo
2013-07-29 20:24 ` Anthony Liguori

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).