|
 |
4549c1 |
From d01fad2a8757f4e3b449a888b93a0ba9fda54daa Mon Sep 17 00:00:00 2001
|
|
|
4549c1 |
From: Eduardo Otubo <otubo@redhat.com>
|
|
|
4549c1 |
Date: Thu, 5 Mar 2020 13:49:51 +0100
|
|
|
4549c1 |
Subject: [PATCH 6/6] seccomp: set the seccomp filter to all threads
|
|
|
4549c1 |
MIME-Version: 1.0
|
|
|
4549c1 |
Content-Type: text/plain; charset=UTF-8
|
|
|
4549c1 |
Content-Transfer-Encoding: 8bit
|
|
|
4549c1 |
|
|
|
4549c1 |
Message-id: <20200305134951.23851-1-otubo@redhat.com>
|
|
|
4549c1 |
Patchwork-id: 94161
|
|
|
4549c1 |
O-Subject: [RHEL-7.9 qemu-kvm PATCH] seccomp: set the seccomp filter to all threads
|
|
|
4549c1 |
Bugzilla: 1618503
|
|
|
4549c1 |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
4549c1 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
4549c1 |
RH-Acked-by: Mohammed Gamal <mgamal@redhat.com>
|
|
|
4549c1 |
|
|
|
4549c1 |
commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114
|
|
|
4549c1 |
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
4549c1 |
Date: Wed Aug 22 19:02:50 2018 +0200
|
|
|
4549c1 |
|
|
|
4549c1 |
When using "-seccomp on", the seccomp policy is only applied to the
|
|
|
4549c1 |
main thread, the vcpu worker thread and other worker threads created
|
|
|
4549c1 |
after seccomp policy is applied; the seccomp policy is not applied to
|
|
|
4549c1 |
e.g. the RCU thread because it is created before the seccomp policy is
|
|
|
4549c1 |
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
|
|
|
4549c1 |
|
|
|
4549c1 |
This can be verified with
|
|
|
4549c1 |
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
|
|
|
4549c1 |
Seccomp: 2
|
|
|
4549c1 |
Seccomp: 0
|
|
|
4549c1 |
Seccomp: 0
|
|
|
4549c1 |
Seccomp: 2
|
|
|
4549c1 |
Seccomp: 2
|
|
|
4549c1 |
Seccomp: 2
|
|
|
4549c1 |
|
|
|
4549c1 |
Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
|
|
|
4549c1 |
seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
|
|
|
4549c1 |
on all threads.
|
|
|
4549c1 |
|
|
|
4549c1 |
libseccomp requirement was bumped to 2.2.0 in previous patch.
|
|
|
4549c1 |
libseccomp should fail to set the filter if it can't honour
|
|
|
4549c1 |
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
|
|
|
4549c1 |
kernel < 3.17.
|
|
|
4549c1 |
|
|
|
4549c1 |
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
4549c1 |
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
|
|
4549c1 |
|
|
|
4549c1 |
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
|
|
4549c1 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
4549c1 |
---
|
|
|
4549c1 |
qemu-seccomp.c | 5 +++++
|
|
|
4549c1 |
1 file changed, 5 insertions(+)
|
|
|
4549c1 |
|
|
|
4549c1 |
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
|
|
4549c1 |
index e947909..828083b 100644
|
|
|
4549c1 |
--- a/qemu-seccomp.c
|
|
|
4549c1 |
+++ b/qemu-seccomp.c
|
|
|
4549c1 |
@@ -264,6 +264,11 @@ int seccomp_start(void)
|
|
|
4549c1 |
goto seccomp_return;
|
|
|
4549c1 |
}
|
|
|
4549c1 |
|
|
|
4549c1 |
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
|
|
|
4549c1 |
+ if (rc != 0) {
|
|
|
4549c1 |
+ goto seccomp_return;
|
|
|
4549c1 |
+ }
|
|
|
4549c1 |
+
|
|
|
4549c1 |
for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {
|
|
|
4549c1 |
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);
|
|
|
4549c1 |
if (rc < 0) {
|
|
|
4549c1 |
--
|
|
|
4549c1 |
1.8.3.1
|
|
|
4549c1 |
|