Blob Blame Raw
From fb1bf29b909f8443aae0171e3b9c8bc369e0a641 Mon Sep 17 00:00:00 2001
From: Eduardo Otubo <>
Date: Fri, 28 Sep 2018 07:56:36 +0100
Subject: [PATCH 2/6] seccomp: use SIGSYS signal instead of killing the thread
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Eduardo Otubo <>
Message-id: <>
Patchwork-id: 82314
O-Subject: [RHEL-8 qemu-kvm PATCH 2/5] seccomp: use SIGSYS signal instead of killing the thread
Bugzilla: 1618356
RH-Acked-by: Dr. David Alan Gilbert <>
RH-Acked-by: Marc-André Lureau <>
RH-Acked-by: Thomas Huth <>

From: Marc-André Lureau <>

commit 6f2231e9b0931e1998d9ed0c509adf7aedc02db2
Author: Marc-André Lureau <>
Date:   Wed Aug 22 19:02:47 2018 +0200

    seccomp: use SIGSYS signal instead of killing the thread

    The seccomp action SCMP_ACT_KILL results in immediate termination of
    the thread that made the bad system call. However, qemu being
    multi-threaded, it keeps running. There is no easy way for parent
    process / management layer (libvirt) to know about that situation.

    Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP
    will terminate the program and core dump.

    This may not be the most secure solution, but probably better than
    just killing the offending thread. SCMP_ACT_KILL_PROCESS has been
    added in Linux 4.14 to improve the situation, which I propose to use
    by default if available in the next patch.

    Related to:

    Signed-off-by: Marc-André Lureau <>
    Reviewed-by: Daniel P. Berrangé <>
    Acked-by: Eduardo Otubo <>

Signed-off-by: Eduardo Otubo <>
Signed-off-by: Danilo C. L. de Paula <>
 qemu-seccomp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 845a333..b88fa05 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -120,7 +120,7 @@ int seccomp_start(uint32_t seccomp_opts)
-        rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
+        rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num,
                                     blacklist[i].narg, blacklist[i].arg_cmp);
         if (rc < 0) {
             goto seccomp_return;