|
|
9ae3a8 |
From 2735c1f0c0ae68933112a98bf5a5c6d22486c74f Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
Message-Id: <2735c1f0c0ae68933112a98bf5a5c6d22486c74f.1387369730.git.minovotn@redhat.com>
|
|
|
9ae3a8 |
In-Reply-To: <091eecc4fa42754760dfff393dabcc2b444e9693.1387369730.git.minovotn@redhat.com>
|
|
|
9ae3a8 |
References: <091eecc4fa42754760dfff393dabcc2b444e9693.1387369730.git.minovotn@redhat.com>
|
|
|
9ae3a8 |
From: Paul Moore <pmoore@redhat.com>
|
|
|
9ae3a8 |
Date: Tue, 3 Dec 2013 16:04:48 +0100
|
|
|
9ae3a8 |
Subject: [PATCH 03/21] seccomp: add kill() to the syscall whitelist
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Paul Moore <pmoore@redhat.com>
|
|
|
9ae3a8 |
Message-id: <20131203160448.1445.78917.stgit@localhost>
|
|
|
9ae3a8 |
Patchwork-id: 55976
|
|
|
9ae3a8 |
O-Subject: [RHEL7 qemu-kvm PATCH] seccomp: add kill() to the syscall whitelist
|
|
|
9ae3a8 |
Bugzilla: 1026314
|
|
|
9ae3a8 |
RH-Acked-by: Bandan Das <bsd@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: knoel@redhat.com
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1026314
|
|
|
9ae3a8 |
Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=6672333
|
|
|
9ae3a8 |
Upstream: In QEMU/seccomp maintainer's tree
|
|
|
9ae3a8 |
git://github.com/otubo/qemu.git#seccomp
|
|
|
9ae3a8 |
Tested: Tested by myself, IBM, and original BZ reporter, see BZ
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
commit: e9eecb5bf82a71564bf018fcbbfc6cda19cab6c2
|
|
|
9ae3a8 |
From: Paul Moore <pmoore@redhat.com>
|
|
|
9ae3a8 |
Date: 2013-11-20 11:12:17 -0500
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
seccomp: add kill() to the syscall whitelist
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
The kill() syscall is triggered with the following command:
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
# qemu -sandbox on -monitor stdio \
|
|
|
9ae3a8 |
-device intel-hda -device hda-duplex -vnc :0
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
The resulting syslog/audit message:
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
# ausearch -m SECCOMP
|
|
|
9ae3a8 |
----
|
|
|
9ae3a8 |
time->Wed Nov 20 09:52:08 2013
|
|
|
9ae3a8 |
type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854
|
|
|
9ae3a8 |
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087
|
|
|
9ae3a8 |
comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0
|
|
|
9ae3a8 |
# scmp_sys_resolver 62
|
|
|
9ae3a8 |
kill
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Reported-by: CongLi <coli@redhat.com>
|
|
|
9ae3a8 |
Tested-by: CongLi <coli@redhat.com>
|
|
|
9ae3a8 |
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
|
9ae3a8 |
Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
qemu-seccomp.c | 1 +
|
|
|
9ae3a8 |
1 file changed, 1 insertion(+)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Signed-off-by: Michal Novotny <minovotn@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
qemu-seccomp.c | 1 +
|
|
|
9ae3a8 |
1 file changed, 1 insertion(+)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
|
|
9ae3a8 |
index ca15f21..906101f 100644
|
|
|
9ae3a8 |
--- a/qemu-seccomp.c
|
|
|
9ae3a8 |
+++ b/qemu-seccomp.c
|
|
|
9ae3a8 |
@@ -123,6 +123,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
|
|
9ae3a8 |
{ SCMP_SYS(write), 244 },
|
|
|
9ae3a8 |
{ SCMP_SYS(fcntl), 243 },
|
|
|
9ae3a8 |
{ SCMP_SYS(tgkill), 242 },
|
|
|
9ae3a8 |
+ { SCMP_SYS(kill), 242 },
|
|
|
9ae3a8 |
{ SCMP_SYS(rt_sigaction), 242 },
|
|
|
9ae3a8 |
{ SCMP_SYS(pipe2), 242 },
|
|
|
9ae3a8 |
{ SCMP_SYS(munmap), 242 },
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.7.11.7
|
|
|
9ae3a8 |
|