Commit 12f067cc authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20190327' into staging 



pull-seccomp-20190327

# gpg: Signature made Wed 27 Mar 2019 12:12:39 GMT
# gpg:                using RSA key DF32E7C0F0FFF9A2
# gpg: Good signature from "Eduardo Otubo (Senior Software Engineer) <otubo@redhat.com>" [full]
# Primary key fingerprint: D67E 1B50 9374 86B4 0723  DBAB DF32 E7C0 F0FF F9A2

* remotes/otubo/tags/pull-seccomp-20190327:
  seccomp: report more useful errors from seccomp
  seccomp: don't kill process for resource control syscalls

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents 84bdc58c 035121d2

qemu-seccomp.c

+38 −14
Original line number Diff line number Diff line
@@ -121,58 +121,84 @@ qemu_seccomp(unsigned int operation, unsigned int flags, void *args) 
#endif

}



static uint32_t qemu_seccomp_get_kill_action(void)

static uint32_t qemu_seccomp_get_action(int set)

{

    switch (set) {

    case QEMU_SECCOMP_SET_DEFAULT:

    case QEMU_SECCOMP_SET_OBSOLETE:

    case QEMU_SECCOMP_SET_PRIVILEGED:

    case QEMU_SECCOMP_SET_SPAWN: {

#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \

    defined(SECCOMP_RET_KILL_PROCESS)

    {

        static int kill_process = -1;

        if (kill_process == -1) {

            uint32_t action = SECCOMP_RET_KILL_PROCESS;



            if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {

            return SCMP_ACT_KILL_PROCESS;

                kill_process = 1;

            }

            kill_process = 0;

        }

        if (kill_process == 1) {

            return SCMP_ACT_KILL_PROCESS;

        }

#endif



        return SCMP_ACT_TRAP;

    }



    case QEMU_SECCOMP_SET_RESOURCECTL:

        return SCMP_ACT_ERRNO(EPERM);



static int seccomp_start(uint32_t seccomp_opts)

    default:

        g_assert_not_reached();

    }

}





static int seccomp_start(uint32_t seccomp_opts, Error **errp)

{

    int rc = 0;

    int rc = -1;

    unsigned int i = 0;

    scmp_filter_ctx ctx;

    uint32_t action = qemu_seccomp_get_kill_action();



    ctx = seccomp_init(SCMP_ACT_ALLOW);

    if (ctx == NULL) {

        rc = -1;

        error_setg(errp, "failed to initialize seccomp context");

        goto seccomp_return;

    }



    rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);

    if (rc != 0) {

        error_setg_errno(errp, -rc,

                         "failed to set seccomp thread synchronization");

        goto seccomp_return;

    }



    for (i = 0; i < ARRAY_SIZE(blacklist); i++) {

        uint32_t action;

        if (!(seccomp_opts & blacklist[i].set)) {

            continue;

        }



        action = qemu_seccomp_get_action(blacklist[i].set);

        rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,

                                    blacklist[i].narg, blacklist[i].arg_cmp);

        if (rc < 0) {

            error_setg_errno(errp, -rc,

                             "failed to add seccomp blacklist rules");

            goto seccomp_return;

        }

    }



    rc = seccomp_load(ctx);

    if (rc < 0) {

        error_setg_errno(errp, -rc,

                         "failed to load seccomp syscall filter in kernel");

    }



  seccomp_return:

    seccomp_release(ctx);

    return rc;

    return rc < 0 ? -1 : 0;

}



#ifdef CONFIG_SECCOMP
@@ -242,9 +268,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) 
            }

        }



        if (seccomp_start(seccomp_opts) < 0) {

            error_setg(errp, "failed to install seccomp syscall filter "

                       "in the kernel");

        if (seccomp_start(seccomp_opts, errp) < 0) {

            return -1;

        }

    }