|
 |
ae23c9 |
From 8bf0cdd586d9868e3432e3d7949c8d628f7e6538 Mon Sep 17 00:00:00 2001
|
|
|
ae23c9 |
From: Eduardo Otubo <otubo@redhat.com>
|
|
|
ae23c9 |
Date: Fri, 28 Sep 2018 07:56:39 +0100
|
|
|
ae23c9 |
Subject: [PATCH 5/6] seccomp: set the seccomp filter to all threads
|
|
|
ae23c9 |
MIME-Version: 1.0
|
|
|
ae23c9 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ae23c9 |
Content-Transfer-Encoding: 8bit
|
|
|
ae23c9 |
|
|
|
ae23c9 |
RH-Author: Eduardo Otubo <otubo@redhat.com>
|
|
|
ae23c9 |
Message-id: <20180928075639.16746-6-otubo@redhat.com>
|
|
|
ae23c9 |
Patchwork-id: 82316
|
|
|
ae23c9 |
O-Subject: [RHEL-8 qemu-kvm PATCH 5/5] seccomp: set the seccomp filter to all threads
|
|
|
ae23c9 |
Bugzilla: 1618356
|
|
|
ae23c9 |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
ae23c9 |
RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
ae23c9 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
ae23c9 |
|
|
|
ae23c9 |
From: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
ae23c9 |
|
|
|
ae23c9 |
commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114
|
|
|
ae23c9 |
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
ae23c9 |
Date: Wed Aug 22 19:02:50 2018 +0200
|
|
|
ae23c9 |
|
|
|
ae23c9 |
seccomp: set the seccomp filter to all threads
|
|
|
ae23c9 |
|
|
|
ae23c9 |
When using "-seccomp on", the seccomp policy is only applied to the
|
|
|
ae23c9 |
main thread, the vcpu worker thread and other worker threads created
|
|
|
ae23c9 |
after seccomp policy is applied; the seccomp policy is not applied to
|
|
|
ae23c9 |
e.g. the RCU thread because it is created before the seccomp policy is
|
|
|
ae23c9 |
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
This can be verified with
|
|
|
ae23c9 |
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
|
|
|
ae23c9 |
Seccomp: 2
|
|
|
ae23c9 |
Seccomp: 0
|
|
|
ae23c9 |
Seccomp: 0
|
|
|
ae23c9 |
Seccomp: 2
|
|
|
ae23c9 |
Seccomp: 2
|
|
|
ae23c9 |
Seccomp: 2
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
|
|
|
ae23c9 |
seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
|
|
|
ae23c9 |
on all threads.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
libseccomp requirement was bumped to 2.2.0 in previous patch.
|
|
|
ae23c9 |
libseccomp should fail to set the filter if it can't honour
|
|
|
ae23c9 |
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
|
|
|
ae23c9 |
kernel < 3.17.
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
ae23c9 |
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
|
|
ae23c9 |
|
|
|
ae23c9 |
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
|
|
|
ae23c9 |
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
|
|
ae23c9 |
---
|
|
|
ae23c9 |
qemu-seccomp.c | 5 +++++
|
|
|
ae23c9 |
1 file changed, 5 insertions(+)
|
|
|
ae23c9 |
|
|
|
ae23c9 |
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
|
|
ae23c9 |
index 10fcfa3..a29e54b 100644
|
|
|
ae23c9 |
--- a/qemu-seccomp.c
|
|
|
ae23c9 |
+++ b/qemu-seccomp.c
|
|
|
ae23c9 |
@@ -144,6 +144,11 @@ int seccomp_start(uint32_t seccomp_opts)
|
|
|
ae23c9 |
goto seccomp_return;
|
|
|
ae23c9 |
}
|
|
|
ae23c9 |
|
|
|
ae23c9 |
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
|
|
|
ae23c9 |
+ if (rc != 0) {
|
|
|
ae23c9 |
+ goto seccomp_return;
|
|
|
ae23c9 |
+ }
|
|
|
ae23c9 |
+
|
|
|
ae23c9 |
for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
|
|
|
ae23c9 |
if (!(seccomp_opts & blacklist[i].set)) {
|
|
|
ae23c9 |
continue;
|
|
|
ae23c9 |
--
|
|
|
ae23c9 |
1.8.3.1
|
|
|
ae23c9 |
|