[Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Eduardo Otubo]

The following changes since commit 10e11f4d2bf171f99c6b13883a510acfbc5dd585:

  Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2014-09-18 20:02:01 +0100)

are available in the git repository at:


  git://github.com/otubo/qemu.git tags/goto-upstream

for you to fetch changes up to 021db05e6cb0683b12779ff519c7d857620c9e8f:

  seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch() (2014-09-19 14:32:46 +0200)

----------------------------------------------------------------
Adding new syscalls to seccomp whitelist: fallocate(), fadvise64(), inotify_init1() and inotify_add_watch().

----------------------------------------------------------------
Philipp Gesang (1):
      seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()

 qemu-seccomp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

-- 
1.9.1

[Qemu-devel] [PULL 01/01] seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()

[Eduardo Otubo]

From: Philipp Gesang <philipp.gesang@intra2net.com>

fallocate() is needed for snapshotting. If it isn’t whitelisted

    $ qemu-img create -f qcow2 x.qcow 1G
    Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off
    $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
    QEMU 2.1.50 monitor - type 'help' for more information
    (qemu) savevm foo
    (qemu) loadvm foo

will fail, as will subsequent savevm commands on the same image.

fadvise64(), inotify_init1(), inotify_add_watch() are needed by
the SDL display. Without the whitelist entries,

    qemu-kvm -sandbox on

fails immediately.

In my tests fadvise64() is called 50--51 times per VM run. That
number seems independent of the duration of the run. fallocate(),
inotify_init1(), inotify_add_watch() are called once each.
Accordingly, they are added to the whitelist at a very low
priority.

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
---
 qemu-seccomp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 0503764..af6a375 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -231,7 +231,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(shmctl), 240 },
     { SCMP_SYS(mlock), 240 },
     { SCMP_SYS(munlock), 240 },
-    { SCMP_SYS(semctl), 240 }
+    { SCMP_SYS(semctl), 240 },
+    { SCMP_SYS(fallocate), 240 },
+    { SCMP_SYS(fadvise64), 240 },
+    { SCMP_SYS(inotify_init1), 240 },
+    { SCMP_SYS(inotify_add_watch), 240 }
 };
 
 int seccomp_start(void)
-- 
1.9.1

Re: [Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Peter Maydell]

On 19 September 2014 06:22, Eduardo Otubo
<eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit 10e11f4d2bf171f99c6b13883a510acfbc5dd585:
>
>   Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2014-09-18 20:02:01 +0100)
>
> are available in the git repository at:
>
>
>   git://github.com/otubo/qemu.git tags/goto-upstream
>
> for you to fetch changes up to 021db05e6cb0683b12779ff519c7d857620c9e8f:
>
>   seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch() (2014-09-19 14:32:46 +0200)
>
> ----------------------------------------------------------------
> Adding new syscalls to seccomp whitelist: fallocate(), fadvise64(), inotify_init1() and inotify_add_watch().
>
> ----------------------------------------------------------------
> Philipp Gesang (1):
>       seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()
>
>  qemu-seccomp.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

...how about fixing your compile errors on non-x86 platforms
before adding more stuff here?

thanks
-- PMM

Re: [Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Eduardo Otubo]

On Fri, Sep 19, 2014 at 4:15 PM, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 19 September 2014 06:22, Eduardo Otubo
> <eduardo.otubo@profitbricks.com> wrote:
>> The following changes since commit 10e11f4d2bf171f99c6b13883a510acfbc5dd585:
>>
>>   Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2014-09-18 20:02:01 +0100)
>>
>> are available in the git repository at:
>>
>>
>>   git://github.com/otubo/qemu.git tags/goto-upstream
>>
>> for you to fetch changes up to 021db05e6cb0683b12779ff519c7d857620c9e8f:
>>
>>   seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch() (2014-09-19 14:32:46 +0200)
>>
>> ----------------------------------------------------------------
>> Adding new syscalls to seccomp whitelist: fallocate(), fadvise64(), inotify_init1() and inotify_add_watch().
>>
>> ----------------------------------------------------------------
>> Philipp Gesang (1):
>>       seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()
>>
>>  qemu-seccomp.c | 6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> ...how about fixing your compile errors on non-x86 platforms
> before adding more stuff here?

Hm, indeed. I should have double checked that. Thanks for pointing that out.

Philipp, can you fix this, please?

Regards,

-- 
Eduardo Otubo
ProfitBricks

Re: [Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Peter Maydell]

On 19 September 2014 07:38, Eduardo Otubo
<eduardo.otubo@profitbricks.com> wrote:
> On Fri, Sep 19, 2014 at 4:15 PM, Peter Maydell <peter.maydell@linaro.org> wrote:
>> ...how about fixing your compile errors on non-x86 platforms
>> before adding more stuff here?
>
> Hm, indeed. I should have double checked that. Thanks for pointing that out.
>
> Philipp, can you fix this, please?

You have compile problems in current master as well. Your macros
probably need to guard themselves on whether the syscall they're
adding to the list actually exists on the host.
(See bug https://bugs.launchpad.net/qemu/+bug/1363641 -- select
doesn't exist as a syscall on all archs.)

thanks
-- PMM

Re: [Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Eduardo Otubo]

On Fri, Sep 19, 2014 at 08:11:14AM -0700, Peter Maydell wrote:
> On 19 September 2014 07:38, Eduardo Otubo
> <eduardo.otubo@profitbricks.com> wrote:
> > On Fri, Sep 19, 2014 at 4:15 PM, Peter Maydell <peter.maydell@linaro.org> wrote:
> >> ...how about fixing your compile errors on non-x86 platforms
> >> before adding more stuff here?
> >
> > Hm, indeed. I should have double checked that. Thanks for pointing that out.
> >
> > Philipp, can you fix this, please?
> 
> You have compile problems in current master as well. Your macros
> probably need to guard themselves on whether the syscall they're
> adding to the list actually exists on the host.
> (See bug https://bugs.launchpad.net/qemu/+bug/1363641 -- select
> doesn't exist as a syscall on all archs.)

The fix for that problem is upstream at libseccomp. The maintainer has
no plans yet to make a new release, though. Once he does a release nad
fix this issue, I'll go and resubmit this pull request.

Thanks,

-- 
Eduardo Otubo
ProfitBricks GmbH

Re: [Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Peter Maydell]

On 22 October 2014 09:04, Eduardo Otubo <eduardo.otubo@profitbricks.com> wrote:
> On Fri, Sep 19, 2014 at 08:11:14AM -0700, Peter Maydell wrote:
>> You have compile problems in current master as well. Your macros
>> probably need to guard themselves on whether the syscall they're
>> adding to the list actually exists on the host.
>> (See bug https://bugs.launchpad.net/qemu/+bug/1363641 -- select
>> doesn't exist as a syscall on all archs.)
>
> The fix for that problem is upstream at libseccomp. The maintainer has
> no plans yet to make a new release, though. Once he does a release nad
> fix this issue, I'll go and resubmit this pull request.

The bug is already in QEMU master, so that needs a fix now
regardless of the status of this new patch.

thanks
-- PMM

Re: [Qemu-devel] [PULL 00/01] Adding new syscalls to seccomp whitelist

[Peter Maydell]

On 22 October 2014 11:02, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 22 October 2014 09:04, Eduardo Otubo <eduardo.otubo@profitbricks.com> wrote:
>> On Fri, Sep 19, 2014 at 08:11:14AM -0700, Peter Maydell wrote:
>>> You have compile problems in current master as well. Your macros
>>> probably need to guard themselves on whether the syscall they're
>>> adding to the list actually exists on the host.
>>> (See bug https://bugs.launchpad.net/qemu/+bug/1363641 -- select
>>> doesn't exist as a syscall on all archs.)
>>
>> The fix for that problem is upstream at libseccomp. The maintainer has
>> no plans yet to make a new release, though. Once he does a release nad
>> fix this issue, I'll go and resubmit this pull request.
>
> The bug is already in QEMU master, so that needs a fix now
> regardless of the status of this new patch.

Ping! You still need to fix this for QEMU 2.2 (minimally, by
disabling seccomp in configure for hosts it won't work on).

thanks
-- PMM