From a44f33e5cafc02477c182119ee422ea54eb1f3db Mon Sep 17 00:00:00 2001

From: Eduardo Otubo <otubo@redhat.com>

Date: Fri, 28 Sep 2018 07:56:35 +0100

Subject: [PATCH 1/6] seccomp: allow sched_setscheduler() with SCHED_IDLE

 policy

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Eduardo Otubo <otubo@redhat.com>

Message-id: <20180928075639.16746-2-otubo@redhat.com>

Patchwork-id: 82317

O-Subject: [RHEL-8 qemu-kvm PATCH 1/5] seccomp: allow sched_setscheduler() with SCHED_IDLE policy

Bugzilla: 1618356

RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>

RH-Acked-by: Thomas Huth <thuth@redhat.com>

From: Marc-André Lureau <marcandre.lureau@redhat.com>

commit 056de1e894155fbb99e7b43c1c4382d4920cf437

Author: Marc-André Lureau <marcandre.lureau@redhat.com>

Date:   Tue Jul 10 16:55:57 2018 +0200

    seccomp: allow sched_setscheduler() with SCHED_IDLE policy

    Current and upcoming mesa releases rely on a shader disk cash. It uses

    a thread job queue with low priority, set with

    sched_setscheduler(SCHED_IDLE). However, that syscall is rejected by

    the "resourcecontrol" seccomp qemu filter.

    Since it should be safe to allow lowering thread priority, let's allow

    scheduling thread to idle policy.

    Related to:

    https://bugzilla.redhat.com/show_bug.cgi?id=1594456

    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

    Acked-by: Eduardo Otubo <otubo@redhat.com>

Signed-by-off: Eduardo Otubo <otubo@redhat.com>

Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>

---

 qemu-seccomp.c | 12 ++++++++++--

 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c

index b770a77..845a333 100644

--- a/qemu-seccomp.c

+++ b/qemu-seccomp.c

@@ -29,6 +29,12 @@

 struct QemuSeccompSyscall {

     int32_t num;

     uint8_t set;

+    uint8_t narg;

+    const struct scmp_arg_cmp *arg_cmp;

+};

+

+const struct scmp_arg_cmp sched_setscheduler_arg[] = {

+    SCMP_A1(SCMP_CMP_NE, SCHED_IDLE)

 };

 static const struct QemuSeccompSyscall blacklist[] = {

@@ -87,7 +93,8 @@ static const struct QemuSeccompSyscall blacklist[] = {

     { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL },

     { SCMP_SYS(sched_setparam),         QEMU_SECCOMP_SET_RESOURCECTL },

     { SCMP_SYS(sched_getparam),         QEMU_SECCOMP_SET_RESOURCECTL },

-    { SCMP_SYS(sched_setscheduler),     QEMU_SECCOMP_SET_RESOURCECTL },

+    { SCMP_SYS(sched_setscheduler),     QEMU_SECCOMP_SET_RESOURCECTL,

+      ARRAY_SIZE(sched_setscheduler_arg), sched_setscheduler_arg },

     { SCMP_SYS(sched_getscheduler),     QEMU_SECCOMP_SET_RESOURCECTL },

     { SCMP_SYS(sched_setaffinity),      QEMU_SECCOMP_SET_RESOURCECTL },

     { SCMP_SYS(sched_getaffinity),      QEMU_SECCOMP_SET_RESOURCECTL },

@@ -113,7 +120,8 @@ int seccomp_start(uint32_t seccomp_opts)

             continue;

         }

-        rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);

+        rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,

+                                    blacklist[i].narg, blacklist[i].arg_cmp);

         if (rc < 0) {

             goto seccomp_return;

         }

-- 

1.8.3.1