From nobody Tue Nov 26 14:47:52 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1706720850; cv=none; d=zohomail.com; s=zohoarc; b=TgjAIElgsiRGx0xoOCUUxuJZCY0Ssjs7ysO/jiMoR0TjI55/TTIxEMK1R96yxVSAzB9zkgU28wVSaZNZdUJv64GMHkOSR71+4jBsqWzTxgGfPgmV/cjY7OQGx4Mr1WuhsBTI9zOgfDd3RM77MBv2rdA9ZIVFqLD1YUvly/wMmes= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706720850; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=aq6T9UXAVyqK1byg+KwEREIyiGaZqbP7rHjz9BdyE+s=; b=TO8PQ69d1nDfBisQnNAhYB0FcsMnjCICgFyyDj6NHNV53s0V80R2DYlDyzsYHF4RrkcrP7p6fwLsQVj4u9pqLz4yqDrYAVrybOu5dZQfi3L19rgppfAwaAdEVBZCByUS33KCZZNLm2V7G6T0dTIb15Jsp7pvqmpT7uzAO4fROqA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1706720850285830.2891407649894; Wed, 31 Jan 2024 09:07:30 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rVE2M-0008J7-L9; Wed, 31 Jan 2024 12:06:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rVE2L-0008Ij-5p for qemu-devel@nongnu.org; Wed, 31 Jan 2024 12:06:09 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rVE2I-0002qM-UK for qemu-devel@nongnu.org; Wed, 31 Jan 2024 12:06:08 -0500 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-404-fAnFltN7O2WiuUQTs5qVWQ-1; Wed, 31 Jan 2024 12:06:04 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E6260887122 for ; Wed, 31 Jan 2024 17:06:03 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.42.28.72]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7EB972166B31; Wed, 31 Jan 2024 17:06:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706720765; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aq6T9UXAVyqK1byg+KwEREIyiGaZqbP7rHjz9BdyE+s=; b=JDIGKEGu8pvR5DCP366Mmr+1Ch04RYxtYDZ9m0N0EVk6Sv0bp2gOGba9tqK1/d4VcHUSNj pRhwDJlCgw9MFcH/dWFb666HFCICQll7VZ3J/gxVDDydKRye94Znij6Ci53RssAV3RElMU ZUDZh+yk8WPwbcHi8rIq94jMJgLF6G0= X-MC-Unique: fAnFltN7O2WiuUQTs5qVWQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH] seccomp: report EPERM instead of killing process for spawn set Date: Wed, 31 Jan 2024 17:06:02 +0000 Message-ID: <20240131170602.1642689-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -33 X-Spam_score: -3.4 X-Spam_bar: --- X-Spam_report: (-3.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.292, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1706720851534100003 When something tries to run one of the spawn syscalls (eg clone), our seccomp deny filter is set to cause a fatal trap which kills the process. This is found to be unhelpful when QEMU has loaded the nvidia GL library. This tries to spawn a process to modprobe the nvidia kmod. This is a dubious thing to do, but at the same time, the code will gracefully continue if this fails. Our seccomp filter rightly blocks the spawning, but prevent the graceful continue. Switching to reporting EPERM will make QEMU behave more gracefully without impacting the level of protect we have. https://gitlab.com/qemu-project/qemu/-/issues/2116 Signed-off-by: Daniel P. Berrang=C3=A9 --- system/qemu-seccomp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/system/qemu-seccomp.c b/system/qemu-seccomp.c index 4d7439e7f7..98ffce075c 100644 --- a/system/qemu-seccomp.c +++ b/system/qemu-seccomp.c @@ -74,7 +74,7 @@ const struct scmp_arg_cmp sched_setscheduler_arg[] =3D { =20 #define RULE_CLONE_FLAG(flag) \ { SCMP_SYS(clone), QEMU_SECCOMP_SET_SPAWN, \ - ARRAY_SIZE(clone_arg ## flag), clone_arg ## flag, SCMP_ACT_TRAP } + ARRAY_SIZE(clone_arg ## flag), clone_arg ## flag, SCMP_ACT_ERRNO(EPE= RM) } =20 /* If no CLONE_* flags are set, except CSIGNAL, deny */ const struct scmp_arg_cmp clone_arg_none[] =3D { @@ -214,13 +214,13 @@ static const struct QemuSeccompSyscall denylist[] =3D= { 0, NULL, SCMP_ACT_TRAP }, /* spawn */ { SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN, - 0, NULL, SCMP_ACT_TRAP }, + 0, NULL, SCMP_ACT_ERRNO(EPERM) }, { SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN, - 0, NULL, SCMP_ACT_TRAP }, + 0, NULL, SCMP_ACT_ERRNO(EPERM) }, { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN, - 0, NULL, SCMP_ACT_TRAP }, + 0, NULL, SCMP_ACT_ERRNO(EPERM) }, { SCMP_SYS(clone), QEMU_SECCOMP_SET_SPAWN, - ARRAY_SIZE(clone_arg_none), clone_arg_none, SCMP_ACT_TRAP }, + ARRAY_SIZE(clone_arg_none), clone_arg_none, SCMP_ACT_ERRNO(EPERM) }, RULE_CLONE_FLAG(CLONE_VM), RULE_CLONE_FLAG(CLONE_FS), RULE_CLONE_FLAG(CLONE_FILES), --=20 2.43.0