yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
9ae3a8
From 2735c1f0c0ae68933112a98bf5a5c6d22486c74f Mon Sep 17 00:00:00 2001
9ae3a8
Message-Id: <2735c1f0c0ae68933112a98bf5a5c6d22486c74f.1387369730.git.minovotn@redhat.com>
9ae3a8
In-Reply-To: <091eecc4fa42754760dfff393dabcc2b444e9693.1387369730.git.minovotn@redhat.com>
9ae3a8
References: <091eecc4fa42754760dfff393dabcc2b444e9693.1387369730.git.minovotn@redhat.com>
9ae3a8
From: Paul Moore <pmoore@redhat.com>
9ae3a8
Date: Tue, 3 Dec 2013 16:04:48 +0100
9ae3a8
Subject: [PATCH 03/21] seccomp: add kill() to the syscall whitelist
9ae3a8
9ae3a8
RH-Author: Paul Moore <pmoore@redhat.com>
9ae3a8
Message-id: <20131203160448.1445.78917.stgit@localhost>
9ae3a8
Patchwork-id: 55976
9ae3a8
O-Subject: [RHEL7 qemu-kvm PATCH] seccomp: add kill() to the syscall whitelist
9ae3a8
Bugzilla: 1026314
9ae3a8
RH-Acked-by: Bandan Das <bsd@redhat.com>
9ae3a8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
RH-Acked-by: knoel@redhat.com
9ae3a8
9ae3a8
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1026314
9ae3a8
Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=6672333
9ae3a8
Upstream: In QEMU/seccomp maintainer's tree
9ae3a8
          git://github.com/otubo/qemu.git#seccomp
9ae3a8
Tested: Tested by myself, IBM, and original BZ reporter, see BZ
9ae3a8
9ae3a8
	commit: e9eecb5bf82a71564bf018fcbbfc6cda19cab6c2
9ae3a8
	From: Paul Moore <pmoore@redhat.com>
9ae3a8
	Date: 2013-11-20 11:12:17 -0500
9ae3a8
9ae3a8
	seccomp: add kill() to the syscall whitelist
9ae3a8
9ae3a8
	The kill() syscall is triggered with the following command:
9ae3a8
9ae3a8
	# qemu -sandbox on -monitor stdio \
9ae3a8
		-device intel-hda -device hda-duplex -vnc :0
9ae3a8
9ae3a8
	The resulting syslog/audit message:
9ae3a8
9ae3a8
	# ausearch -m SECCOMP
9ae3a8
	----
9ae3a8
	time->Wed Nov 20 09:52:08 2013
9ae3a8
	type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854
9ae3a8
	subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087
9ae3a8
	comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0
9ae3a8
	# scmp_sys_resolver 62
9ae3a8
	kill
9ae3a8
9ae3a8
	Reported-by: CongLi <coli@redhat.com>
9ae3a8
	Tested-by: CongLi <coli@redhat.com>
9ae3a8
	Signed-off-by: Paul Moore <pmoore@redhat.com>
9ae3a8
	Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
9ae3a8
---
9ae3a8
 qemu-seccomp.c |    1 +
9ae3a8
 1 file changed, 1 insertion(+)
9ae3a8
9ae3a8
Signed-off-by: Michal Novotny <minovotn@redhat.com>
9ae3a8
---
9ae3a8
 qemu-seccomp.c | 1 +
9ae3a8
 1 file changed, 1 insertion(+)
9ae3a8
9ae3a8
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
9ae3a8
index ca15f21..906101f 100644
9ae3a8
--- a/qemu-seccomp.c
9ae3a8
+++ b/qemu-seccomp.c
9ae3a8
@@ -123,6 +123,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
9ae3a8
     { SCMP_SYS(write), 244 },
9ae3a8
     { SCMP_SYS(fcntl), 243 },
9ae3a8
     { SCMP_SYS(tgkill), 242 },
9ae3a8
+    { SCMP_SYS(kill), 242 },
9ae3a8
     { SCMP_SYS(rt_sigaction), 242 },
9ae3a8
     { SCMP_SYS(pipe2), 242 },
9ae3a8
     { SCMP_SYS(munmap), 242 },
9ae3a8
-- 
9ae3a8
1.7.11.7
9ae3a8