|
 |
4636b8 |
From 72b8c0856ace652a57145ea58b0bec9d67d23851 Mon Sep 17 00:00:00 2001
|
|
|
4636b8 |
From: Eduardo Otubo <otubo@redhat.com>
|
|
|
4636b8 |
Date: Tue, 7 Apr 2020 07:03:37 +0200
|
|
|
4636b8 |
Subject: [PATCH] seccomp: set the seccomp filter to all threads
|
|
|
4636b8 |
MIME-Version: 1.0
|
|
|
4636b8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
4636b8 |
Content-Transfer-Encoding: 8bit
|
|
|
4636b8 |
|
|
|
4636b8 |
RH-Author: Eduardo Otubo <otubo@redhat.com>
|
|
|
4636b8 |
Message-id: <20200305125537.4031-1-otubo@redhat.com>
|
|
|
4636b8 |
Patchwork-id: 94159
|
|
|
4636b8 |
O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH] seccomp: set the seccomp filter to all threads
|
|
|
4636b8 |
Bugzilla: 1618504 1622976
|
|
|
4636b8 |
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
4636b8 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
4636b8 |
RH-Acked-by: Mohammed Gamal <mgamal@redhat.com>
|
|
|
4636b8 |
|
|
|
4636b8 |
BZ: 1618504
|
|
|
4636b8 |
BRANCH: rhv78/master
|
|
|
4636b8 |
BREW: 27052907
|
|
|
4636b8 |
|
|
|
4636b8 |
commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114
|
|
|
4636b8 |
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
4636b8 |
Date: Wed Aug 22 19:02:50 2018 +0200
|
|
|
4636b8 |
|
|
|
4636b8 |
When using "-seccomp on", the seccomp policy is only applied to the
|
|
|
4636b8 |
main thread, the vcpu worker thread and other worker threads created
|
|
|
4636b8 |
after seccomp policy is applied; the seccomp policy is not applied to
|
|
|
4636b8 |
e.g. the RCU thread because it is created before the seccomp policy is
|
|
|
4636b8 |
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
|
|
|
4636b8 |
|
|
|
4636b8 |
This can be verified with
|
|
|
4636b8 |
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
|
|
|
4636b8 |
Seccomp: 2
|
|
|
4636b8 |
Seccomp: 0
|
|
|
4636b8 |
Seccomp: 0
|
|
|
4636b8 |
Seccomp: 2
|
|
|
4636b8 |
Seccomp: 2
|
|
|
4636b8 |
Seccomp: 2
|
|
|
4636b8 |
|
|
|
4636b8 |
Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
|
|
|
4636b8 |
seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
|
|
|
4636b8 |
on all threads.
|
|
|
4636b8 |
|
|
|
4636b8 |
libseccomp requirement was bumped to 2.2.0 in previous patch.
|
|
|
4636b8 |
libseccomp should fail to set the filter if it can't honour
|
|
|
4636b8 |
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
|
|
|
4636b8 |
kernel < 3.17.
|
|
|
4636b8 |
|
|
|
4636b8 |
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
4636b8 |
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
|
|
4636b8 |
|
|
|
4636b8 |
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
|
|
4636b8 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
4636b8 |
---
|
|
|
4636b8 |
qemu-seccomp.c | 5 +++++
|
|
|
4636b8 |
1 file changed, 5 insertions(+)
|
|
|
4636b8 |
|
|
|
4636b8 |
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
|
|
4636b8 |
index b770a77..a5455af 100644
|
|
|
4636b8 |
--- a/qemu-seccomp.c
|
|
|
4636b8 |
+++ b/qemu-seccomp.c
|
|
|
4636b8 |
@@ -108,6 +108,11 @@ int seccomp_start(uint32_t seccomp_opts)
|
|
|
4636b8 |
goto seccomp_return;
|
|
|
4636b8 |
}
|
|
|
4636b8 |
|
|
|
4636b8 |
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
|
|
|
4636b8 |
+ if (rc != 0) {
|
|
|
4636b8 |
+ goto seccomp_return;
|
|
|
4636b8 |
+ }
|
|
|
4636b8 |
+
|
|
|
4636b8 |
for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
|
|
|
4636b8 |
if (!(seccomp_opts & blacklist[i].set)) {
|
|
|
4636b8 |
continue;
|
|
|
4636b8 |
--
|
|
|
4636b8 |
1.8.3.1
|
|
|
4636b8 |
|