From nobody Sat May 4 06:14:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (209.51.188.17 [209.51.188.17]) by mx.zohomail.com with SMTPS id 1553689133995329.5468592854596; Wed, 27 Mar 2019 05:18:53 -0700 (PDT) Received: from localhost ([127.0.0.1]:46845 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h97W0-0003lH-K0 for importer@patchew.org; Wed, 27 Mar 2019 08:18:44 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37555) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h97UE-0002oO-Ny for qemu-devel@nongnu.org; Wed, 27 Mar 2019 08:16:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h97UB-0000Px-Vk for qemu-devel@nongnu.org; Wed, 27 Mar 2019 08:16:53 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54194) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h97UA-0000LE-0m for qemu-devel@nongnu.org; Wed, 27 Mar 2019 08:16:50 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8DFB0308339A; Wed, 27 Mar 2019 12:16:48 +0000 (UTC) Received: from vader.redhat.com (unknown [10.36.118.43]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4DFF060852; Wed, 27 Mar 2019 12:16:47 +0000 (UTC) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Wed, 27 Mar 2019 13:16:33 +0100 Message-Id: <20190327121634.23952-2-otubo@redhat.com> In-Reply-To: <20190327121634.23952-1-otubo@redhat.com> References: <20190327121634.23952-1-otubo@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Wed, 27 Mar 2019 12:16:48 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/2] seccomp: don't kill process for resource control syscalls X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Daniel P. Berrang=C3=A9 The Mesa library tries to set process affinity on some of its threads in order to optimize its performance. Currently this results in QEMU being immediately terminated when seccomp is enabled. Mesa doesn't consider failure of the process affinity settings to be fatal to its operation, but our seccomp policy gives it no choice in gracefully handling this denial. It is reasonable to consider that malicious code using the resource control syscalls to be a less serious attack than if they were trying to spawn processes or change UIDs and other such things. Generally speaking changing the resource control setting will "merely" affect quality of service of processes on the host. With this in mind, rather than kill the process, we can relax the policy for these syscalls to return the EPERM errno value. This allows callers to detect that QEMU does not want them to change resource allocations, and apply some reasonable fallback logic. The main downside to this is for code which uses these syscalls but does not check the return value, blindly assuming they will always succeeed. Returning an errno could result in sub-optimal behaviour. Arguably though such code is already broken & needs fixing regardless. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau Signed-off-by: Eduardo Otubo --- qemu-seccomp.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 36d5829831..cf520883c7 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -121,20 +121,37 @@ qemu_seccomp(unsigned int operation, unsigned int fla= gs, void *args) #endif } =20 -static uint32_t qemu_seccomp_get_kill_action(void) +static uint32_t qemu_seccomp_get_action(int set) { + switch (set) { + case QEMU_SECCOMP_SET_DEFAULT: + case QEMU_SECCOMP_SET_OBSOLETE: + case QEMU_SECCOMP_SET_PRIVILEGED: + case QEMU_SECCOMP_SET_SPAWN: { #if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) &&= \ defined(SECCOMP_RET_KILL_PROCESS) - { - uint32_t action =3D SECCOMP_RET_KILL_PROCESS; + static int kill_process =3D -1; + if (kill_process =3D=3D -1) { + uint32_t action =3D SECCOMP_RET_KILL_PROCESS; =20 - if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) =3D=3D 0) { + if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) =3D=3D = 0) { + kill_process =3D 1; + } + kill_process =3D 0; + } + if (kill_process =3D=3D 1) { return SCMP_ACT_KILL_PROCESS; } - } #endif + return SCMP_ACT_TRAP; + } + + case QEMU_SECCOMP_SET_RESOURCECTL: + return SCMP_ACT_ERRNO(EPERM); =20 - return SCMP_ACT_TRAP; + default: + g_assert_not_reached(); + } } =20 =20 @@ -143,7 +160,6 @@ static int seccomp_start(uint32_t seccomp_opts) int rc =3D 0; unsigned int i =3D 0; scmp_filter_ctx ctx; - uint32_t action =3D qemu_seccomp_get_kill_action(); =20 ctx =3D seccomp_init(SCMP_ACT_ALLOW); if (ctx =3D=3D NULL) { @@ -157,10 +173,12 @@ static int seccomp_start(uint32_t seccomp_opts) } =20 for (i =3D 0; i < ARRAY_SIZE(blacklist); i++) { + uint32_t action; if (!(seccomp_opts & blacklist[i].set)) { continue; } =20 + action =3D qemu_seccomp_get_action(blacklist[i].set); rc =3D seccomp_rule_add_array(ctx, action, blacklist[i].num, blacklist[i].narg, blacklist[i].arg_cm= p); if (rc < 0) { --=20 2.17.2 From nobody Sat May 4 06:14:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1553689186104253.72416702371697; Wed, 27 Mar 2019 05:19:46 -0700 (PDT) Received: from localhost ([127.0.0.1]:46849 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h97Wu-0004Jk-0v for importer@patchew.org; Wed, 27 Mar 2019 08:19:40 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37558) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h97UE-0002oS-Pq for qemu-devel@nongnu.org; Wed, 27 Mar 2019 08:16:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h97UC-0000QN-6n for qemu-devel@nongnu.org; Wed, 27 Mar 2019 08:16:54 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55094) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h97UB-0000OX-UQ for qemu-devel@nongnu.org; Wed, 27 Mar 2019 08:16:52 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2934766986; Wed, 27 Mar 2019 12:16:51 +0000 (UTC) Received: from vader.redhat.com (unknown [10.36.118.43]) by smtp.corp.redhat.com (Postfix) with ESMTP id E0F8460852; Wed, 27 Mar 2019 12:16:48 +0000 (UTC) From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Wed, 27 Mar 2019 13:16:34 +0100 Message-Id: <20190327121634.23952-3-otubo@redhat.com> In-Reply-To: <20190327121634.23952-1-otubo@redhat.com> References: <20190327121634.23952-1-otubo@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 27 Mar 2019 12:16:51 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 2/2] seccomp: report more useful errors from seccomp X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Daniel P. Berrang=C3=A9 Most of the seccomp functions return errnos as a negative return value. The code is currently ignoring these and reporting a generic error message for all seccomp failure scenarios making debugging painful. Report a more precise error from each failed call and include errno if it is available. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau Signed-off-by: Eduardo Otubo --- qemu-seccomp.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/qemu-seccomp.c b/qemu-seccomp.c index cf520883c7..e0a1829b3d 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -155,20 +155,22 @@ static uint32_t qemu_seccomp_get_action(int set) } =20 =20 -static int seccomp_start(uint32_t seccomp_opts) +static int seccomp_start(uint32_t seccomp_opts, Error **errp) { - int rc =3D 0; + int rc =3D -1; unsigned int i =3D 0; scmp_filter_ctx ctx; =20 ctx =3D seccomp_init(SCMP_ACT_ALLOW); if (ctx =3D=3D NULL) { - rc =3D -1; + error_setg(errp, "failed to initialize seccomp context"); goto seccomp_return; } =20 rc =3D seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); if (rc !=3D 0) { + error_setg_errno(errp, -rc, + "failed to set seccomp thread synchronization"); goto seccomp_return; } =20 @@ -182,15 +184,21 @@ static int seccomp_start(uint32_t seccomp_opts) rc =3D seccomp_rule_add_array(ctx, action, blacklist[i].num, blacklist[i].narg, blacklist[i].arg_cm= p); if (rc < 0) { + error_setg_errno(errp, -rc, + "failed to add seccomp blacklist rules"); goto seccomp_return; } } =20 rc =3D seccomp_load(ctx); + if (rc < 0) { + error_setg_errno(errp, -rc, + "failed to load seccomp syscall filter in kernel"= ); + } =20 seccomp_return: seccomp_release(ctx); - return rc; + return rc < 0 ? -1 : 0; } =20 #ifdef CONFIG_SECCOMP @@ -260,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error *= *errp) } } =20 - if (seccomp_start(seccomp_opts) < 0) { - error_setg(errp, "failed to install seccomp syscall filter " - "in the kernel"); + if (seccomp_start(seccomp_opts, errp) < 0) { return -1; } } --=20 2.17.2