From nobody Wed Nov 27 20:46:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1535631016016347.7355593423614; Thu, 30 Aug 2018 05:10:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BAF21C058CA0; Thu, 30 Aug 2018 12:10:13 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3E1D38EF0F; Thu, 30 Aug 2018 12:10:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3E1DB4BB75; Thu, 30 Aug 2018 12:10:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7UCAA1m020246 for ; Thu, 30 Aug 2018 08:10:11 -0400 Received: by smtp.corp.redhat.com (Postfix) id BDA692027069; Thu, 30 Aug 2018 12:10:10 +0000 (UTC) Received: from localhost (ovpn-112-18.ams2.redhat.com [10.36.112.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id A6F25202704E; Thu, 30 Aug 2018 12:10:06 +0000 (UTC) From: marcandre.lureau@redhat.com To: libvir-list@redhat.com Date: Thu, 30 Aug 2018 14:09:41 +0200 Message-Id: <20180830120941.22155-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Subject: [libvirt] [PATCH] qemu: clear seccomp capability if TSYNC is not supported by host X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 30 Aug 2018 12:10:14 +0000 (UTC) X-ZohoMail: RDMRC_0 RSF_0 Z_629925259 SPT_0 From: Marc-Andr=C3=A9 Lureau With qemu <=3D 3.0, when using "-seccomp on", the seccomp policy is only applied to the main thread, the vcpu worker thread and other worker threads created after seccomp policy is applied; the seccomp policy is not applied to e.g. the RCU thread because it is created before the seccomp policy is applied. Since qemu commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114 "seccomp: set the seccomp filter to all threads", qemu will require seccomp TSYNC flag, and will fail to start if the flag isn't available. Without it, sandboxing is flawed. Disable seccomp capability if the host is not capable of using seccomp TSYNC. Signed-off-by: Marc-Andr=C3=A9 Lureau --- configure.ac | 2 +- src/qemu/qemu_capabilities.c | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index da940e34df..c206de1cad 100644 --- a/configure.ac +++ b/configure.ac @@ -330,7 +330,7 @@ AC_CHECK_FUNCS_ONCE([cfmakeraw fallocate geteuid getgid= getgrnam_r \ =20 dnl Availability of various common headers (non-fatal if missing). AC_CHECK_HEADERS([pwd.h regex.h sys/un.h \ - sys/poll.h syslog.h mntent.h net/ethernet.h linux/magic.h \ + sys/poll.h syslog.h mntent.h net/ethernet.h linux/magic.h linux/seccomp.= h \ sys/un.h sys/syscall.h sys/sysctl.h netinet/tcp.h ifaddrs.h \ libtasn1.h sys/ucred.h sys/mount.h stdarg.h]) dnl Check whether endian provides handy macros. diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index a075677421..dd62246eb4 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -54,6 +54,10 @@ #include #include #include +#if defined(HAVE_LINUX_SECCOMP_H) && defined(HAVE_SYS_SYSCALL_H) +#include +#include +#endif =20 #define VIR_FROM_THIS VIR_FROM_QEMU =20 @@ -4615,6 +4619,15 @@ virQEMUCapsLogProbeFailure(const char *binary) } =20 =20 +#if defined(HAVE_LINUX_SECCOMP_H) && defined(HAVE_SYS_SYSCALL_H) +static int +virSeccomp(unsigned int op, unsigned int flags, void *args) +{ + errno =3D 0; + return syscall(__NR_seccomp, op, flags, args); +} +#endif + virQEMUCapsPtr virQEMUCapsNewForBinaryInternal(virArch hostArch, const char *binary, @@ -4679,6 +4692,20 @@ virQEMUCapsNewForBinaryInternal(virArch hostArch, goto error; } =20 + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX)) { + bool have_seccomp =3D false; +#if defined(HAVE_LINUX_SECCOMP_H) && defined(HAVE_SYS_SYSCALL_H) + /* check the TSYNC flag - it returns errno =3D=3D ENOSYS if unavai= lable */ + if (virSeccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,= NULL) < 0 && + errno =3D=3D EFAULT) { + have_seccomp =3D true; + } +#endif + if (!have_seccomp) { + virQEMUCapsClear(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX); + } + } + cleanup: VIR_FREE(qmperr); return qemuCaps; --=20 2.19.0.rc0.48.gb9dfa238d5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list