|
|
9ae3a8 |
From 45031cfb033d0c3941f48acb8c46861f756ab700 Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
From: Paul Moore <pmoore@redhat.com>
|
|
|
9ae3a8 |
Date: Mon, 27 Jan 2014 21:43:11 +0100
|
|
|
9ae3a8 |
Subject: [PATCH 01/28] seccomp: add mkdir() and fchmod() to the whitelist
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Paul Moore <pmoore@redhat.com>
|
|
|
9ae3a8 |
Message-id: <20140127214311.24608.57759.stgit@localhost>
|
|
|
9ae3a8 |
Patchwork-id: 56966
|
|
|
9ae3a8 |
O-Subject: [RHEL7 qemu-kvm PATCH 1/2] seccomp: add mkdir() and fchmod() to the whitelist
|
|
|
9ae3a8 |
Bugzilla: 1026314
|
|
|
9ae3a8 |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Juan Quintela <quintela@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1026314
|
|
|
9ae3a8 |
Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=6956172
|
|
|
9ae3a8 |
Upstream: upstream, see commit IDs
|
|
|
9ae3a8 |
Testing: tested, see BZ
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
seccomp: add mkdir() and fchmod() to the whitelist
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
|
|
|
9ae3a8 |
"/run/user/<UID>/pulse" which is currently blocked by the syscall
|
|
|
9ae3a8 |
filter; this patch adds the two missing syscalls to the whitelist.
|
|
|
9ae3a8 |
You can reproduce this problem with the following command:
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
# qemu -monitor stdio -device intel-hda -device hda-duplex
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
If watched under strace the following syscalls are shown:
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
mkdir("/run/user/0/pulse", 0700)
|
|
|
9ae3a8 |
fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Reported-by: xuhan@redhat.com
|
|
|
9ae3a8 |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
qemu-seccomp.c | 4 +++-
|
|
|
9ae3a8 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
qemu-seccomp.c | 4 +++-
|
|
|
9ae3a8 |
1 files changed, 3 insertions(+), 1 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
|
|
9ae3a8 |
index fc48bdd..34a54e4 100644
|
|
|
9ae3a8 |
--- a/qemu-seccomp.c
|
|
|
9ae3a8 |
+++ b/qemu-seccomp.c
|
|
|
9ae3a8 |
@@ -237,7 +237,9 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
|
|
9ae3a8 |
{ SCMP_SYS(io_cancel), 241 },
|
|
|
9ae3a8 |
{ SCMP_SYS(io_setup), 241 },
|
|
|
9ae3a8 |
{ SCMP_SYS(io_destroy), 241 },
|
|
|
9ae3a8 |
- { SCMP_SYS(arch_prctl), 240 }
|
|
|
9ae3a8 |
+ { SCMP_SYS(arch_prctl), 240 },
|
|
|
9ae3a8 |
+ { SCMP_SYS(mkdir), 240 },
|
|
|
9ae3a8 |
+ { SCMP_SYS(fchmod), 240 }
|
|
|
9ae3a8 |
};
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
int seccomp_start(void)
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.7.1
|
|
|
9ae3a8 |
|