From caa17bcb65ea65a9fa39e7d6117a87cc7cc9c0ce Mon Sep 17 00:00:00 2001

From: Eduardo Otubo <otubo@redhat.com>

Date: Fri, 28 Sep 2018 07:56:37 +0100

Subject: [PATCH 3/6] seccomp: prefer SCMP_ACT_KILL_PROCESS if available

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Eduardo Otubo <otubo@redhat.com>

Message-id: <20180928075639.16746-4-otubo@redhat.com>

Patchwork-id: 82315

O-Subject: [RHEL-8 qemu-kvm PATCH 3/5] seccomp: prefer SCMP_ACT_KILL_PROCESS if available

Bugzilla: 1618356

RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>

RH-Acked-by: Thomas Huth <thuth@redhat.com>

From: Marc-André Lureau <marcandre.lureau@redhat.com>

commit bda08a5764d470f101fa38635d30b41179a313e1

Author: Marc-André Lureau <marcandre.lureau@redhat.com>

Date:   Wed Aug 22 19:02:48 2018 +0200

    seccomp: prefer SCMP_ACT_KILL_PROCESS if available

    The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS

    action (https://github.com/seccomp/libseccomp/issues/96).

    SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the

    offending process, rather than having the SIGSYS handler running.

    Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,

    as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still

    prefer SCMP_ACT_TRAP.

    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

    Acked-by: Eduardo Otubo <otubo@redhat.com>

Signed-off-by: Eduardo Otubo <otubo@rehdat.com>

Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>

---

 qemu-seccomp.c | 31 ++++++++++++++++++++++++++++++-

 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c

index b88fa05..10fcfa3 100644

--- a/qemu-seccomp.c

+++ b/qemu-seccomp.c

@@ -15,6 +15,7 @@

 #include "qemu/osdep.h"

 #include <seccomp.h>

 #include "sysemu/seccomp.h"

+#include <linux/seccomp.h>

 /* For some architectures (notably ARM) cacheflush is not supported until

  * libseccomp 2.2.3, but configure enforces that we are using a more recent

@@ -102,12 +103,40 @@ static const struct QemuSeccompSyscall blacklist[] = {

     { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },

 };

+static inline __attribute__((unused)) int

+qemu_seccomp(unsigned int operation, unsigned int flags, void *args)

+{

+#ifdef __NR_seccomp

+    return syscall(__NR_seccomp, operation, flags, args);

+#else

+    errno = ENOSYS;

+    return -1;

+#endif

+}

+

+static uint32_t qemu_seccomp_get_kill_action(void)

+{

+#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \

+    defined(SECCOMP_RET_KILL_PROCESS)

+    {

+        uint32_t action = SECCOMP_RET_KILL_PROCESS;

+

+        if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {

+            return SCMP_ACT_KILL_PROCESS;

+        }

+    }

+#endif

+

+    return SCMP_ACT_TRAP;

+}

+

 int seccomp_start(uint32_t seccomp_opts)

 {

     int rc = 0;

     unsigned int i = 0;

     scmp_filter_ctx ctx;

+    uint32_t action = qemu_seccomp_get_kill_action();

     ctx = seccomp_init(SCMP_ACT_ALLOW);

     if (ctx == NULL) {

@@ -120,7 +149,7 @@ int seccomp_start(uint32_t seccomp_opts)

             continue;

         }

-        rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num,

+        rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,

                                     blacklist[i].narg, blacklist[i].arg_cmp);

         if (rc < 0) {

             goto seccomp_return;

-- 

1.8.3.1