* [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist
@ 2014-03-13 13:42 Eduardo Otubo
2014-03-13 13:42 ` [Qemu-devel] [PULL 01/02] seccomp: add timerfd_create and timerfd_settime " Eduardo Otubo
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Eduardo Otubo @ 2014-03-13 13:42 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, debfx, Eduardo Otubo
The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream' into staging (2014-03-12 17:53:37 +0000)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
Felix Geyer (1):
seccomp: add timerfd_create and timerfd_settime to the whitelist
Paul Moore (1):
seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist
qemu-seccomp.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Qemu-devel] [PULL 01/02] seccomp: add timerfd_create and timerfd_settime to the whitelist
2014-03-13 13:42 [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Eduardo Otubo
@ 2014-03-13 13:42 ` Eduardo Otubo
2014-03-13 13:42 ` [Qemu-devel] [PULL 02/02] seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist Eduardo Otubo
2014-03-24 18:13 ` [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Paul Moore
2 siblings, 0 replies; 7+ messages in thread
From: Eduardo Otubo @ 2014-03-13 13:42 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, debfx
From: Felix Geyer <debfx@fobos.de>
libusb calls timerfd_create() and timerfd_settime() when it's built with
timerfd support.
Command to reproduce:
-device usb-host,hostbus=1,hostaddr=3,id=hostdev0
Log messages:
audit(1390730418.924:135): auid=4294967295 uid=121 gid=103 ses=4294967295
pid=5232 comm="qemu-system-x86" sig=31 syscall=283
compat=0 ip=0x7f2b0f4e96a7 code=0x0
audit(1390733100.580:142): auid=4294967295 uid=121 gid=103 ses=4294967295
pid=16909 comm="qemu-system-x86" sig=31 syscall=286
compat=0 ip=0x7f03513a06da code=0x0
Reading a few hundred MB from a USB drive on x86_64 shows this syscall distribution.
Therefore the timerfd_settime priority is set to 242.
calls syscall
--------- ----------------
5303600 write
2240554 read
2167030 ppoll
2134828 ioctl
704023 timerfd_settime
689105 poll
83122 futex
803 writev
476 rt_sigprocmask
287 recvmsg
178 brk
Signed-off-by: Felix Geyer <debfx@fobos.de>
Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
qemu-seccomp.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index caa926e..46554bd 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -143,6 +143,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(getsockname), 242 },
{ SCMP_SYS(getpeername), 242 },
{ SCMP_SYS(accept4), 242 },
+ { SCMP_SYS(timerfd_settime), 242 },
{ SCMP_SYS(newfstatat), 241 },
{ SCMP_SYS(shutdown), 241 },
{ SCMP_SYS(getsockopt), 241 },
@@ -225,7 +226,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(fchmod), 240 },
{ SCMP_SYS(shmget), 240 },
{ SCMP_SYS(shmat), 240 },
- { SCMP_SYS(shmdt), 240 }
+ { SCMP_SYS(shmdt), 240 },
+ { SCMP_SYS(timerfd_create), 240 }
};
int seccomp_start(void)
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Qemu-devel] [PULL 02/02] seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist
2014-03-13 13:42 [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Eduardo Otubo
2014-03-13 13:42 ` [Qemu-devel] [PULL 01/02] seccomp: add timerfd_create and timerfd_settime " Eduardo Otubo
@ 2014-03-13 13:42 ` Eduardo Otubo
2014-03-24 18:13 ` [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Paul Moore
2 siblings, 0 replies; 7+ messages in thread
From: Eduardo Otubo @ 2014-03-13 13:42 UTC (permalink / raw)
To: qemu-devel; +Cc: pmoore, debfx
From: Paul Moore <pmoore@redhat.com>
Additional testing reveals that PulseAudio requires shmctl() and the
mlock()/munlock() syscalls on some systems/configurations. As before,
on systems that do require these syscalls, the problem can be seen with
the following command line:
# qemu -monitor stdio -sandbox on \
-device intel-hda -device hda-duplex
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
qemu-seccomp.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 46554bd..ea8094d 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -227,7 +227,10 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(shmget), 240 },
{ SCMP_SYS(shmat), 240 },
{ SCMP_SYS(shmdt), 240 },
- { SCMP_SYS(timerfd_create), 240 }
+ { SCMP_SYS(timerfd_create), 240 },
+ { SCMP_SYS(shmctl), 240 },
+ { SCMP_SYS(mlock), 240 },
+ { SCMP_SYS(munlock), 240 }
};
int seccomp_start(void)
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist
2014-03-13 13:42 [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Eduardo Otubo
2014-03-13 13:42 ` [Qemu-devel] [PULL 01/02] seccomp: add timerfd_create and timerfd_settime " Eduardo Otubo
2014-03-13 13:42 ` [Qemu-devel] [PULL 02/02] seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist Eduardo Otubo
@ 2014-03-24 18:13 ` Paul Moore
2014-04-01 13:06 ` Eduardo Otubo
2 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2014-03-24 18:13 UTC (permalink / raw)
To: qemu-devel; +Cc: debfx, Eduardo Otubo
On Thursday, March 13, 2014 10:42:42 AM Eduardo Otubo wrote:
> The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
>
> Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream'
> into staging (2014-03-12 17:53:37 +0000)
>
> are available in the git repository at:
>
> git://github.com/otubo/qemu.git seccomp
>
> Felix Geyer (1):
> seccomp: add timerfd_create and timerfd_settime to the whitelist
>
> Paul Moore (1):
> seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist
>
> qemu-seccomp.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
Notice this still hasn't made it upstream and thought I would check to see
where things stood ...
--
paul moore
security and virtualization @ redhat
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist
2014-03-24 18:13 ` [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Paul Moore
@ 2014-04-01 13:06 ` Eduardo Otubo
2014-04-02 15:53 ` Paolo Bonzini
0 siblings, 1 reply; 7+ messages in thread
From: Eduardo Otubo @ 2014-04-01 13:06 UTC (permalink / raw)
To: Paul Moore, qemu-devel; +Cc: Peter Maydell, debfx, Anthony Liguori
On 03/24/2014 03:13 PM, Paul Moore wrote:
> On Thursday, March 13, 2014 10:42:42 AM Eduardo Otubo wrote:
>> The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
>>
>> Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream'
>> into staging (2014-03-12 17:53:37 +0000)
>>
>> are available in the git repository at:
>>
>> git://github.com/otubo/qemu.git seccomp
>>
>> Felix Geyer (1):
>> seccomp: add timerfd_create and timerfd_settime to the whitelist
>>
>> Paul Moore (1):
>> seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist
>>
>> qemu-seccomp.c | 7 ++++++-
>> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> Notice this still hasn't made it upstream and thought I would check to see
> where things stood ...
>
Not sure why it didn't get upstream yet.
Anthony, Peter, could you take a closer look at this?
Thanks!
--
Eduardo Otubo
IBM Linux Technology Center
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist
2014-04-01 13:06 ` Eduardo Otubo
@ 2014-04-02 15:53 ` Paolo Bonzini
2014-04-03 11:14 ` Peter Maydell
0 siblings, 1 reply; 7+ messages in thread
From: Paolo Bonzini @ 2014-04-02 15:53 UTC (permalink / raw)
To: Eduardo Otubo, Paul Moore, qemu-devel
Cc: Peter Maydell, debfx, Anthony Liguori
Il 01/04/2014 15:06, Eduardo Otubo ha scritto:
>
> On 03/24/2014 03:13 PM, Paul Moore wrote:
>> On Thursday, March 13, 2014 10:42:42 AM Eduardo Otubo wrote:
>>> The following changes since commit
>>> 750036a848ea913ba6343718ffa70da98f7eef6b:
>>>
>>> Merge remote-tracking branch
>>> 'remotes/afaerber/tags/prep-for-upstream'
>>> into staging (2014-03-12 17:53:37 +0000)
>>>
>>> are available in the git repository at:
>>>
>>> git://github.com/otubo/qemu.git seccomp
>>>
>>> Felix Geyer (1):
>>> seccomp: add timerfd_create and timerfd_settime to the whitelist
>>>
>>> Paul Moore (1):
>>> seccomp: add shmctl(), mlock(), and munlock() to the syscall
>>> whitelist
>>>
>>> qemu-seccomp.c | 7 ++++++-
>>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>
>> Notice this still hasn't made it upstream and thought I would check to
>> see
>> where things stood ...
>>
>
> Not sure why it didn't get upstream yet.
> Anthony, Peter, could you take a closer look at this?
Peter filters on "for you to fetch changes up to" and your git didn't
include it. :)
Paolo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist
2014-04-02 15:53 ` Paolo Bonzini
@ 2014-04-03 11:14 ` Peter Maydell
0 siblings, 0 replies; 7+ messages in thread
From: Peter Maydell @ 2014-04-03 11:14 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Paul Moore, debfx, qemu-devel, Anthony Liguori, Eduardo Otubo
On 2 April 2014 16:53, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Il 01/04/2014 15:06, Eduardo Otubo ha scritto:
>> Not sure why it didn't get upstream yet.
>> Anthony, Peter, could you take a closer look at this?
>
>
> Peter filters on "for you to fetch changes up to" and your git didn't
> include it. :)
Yes. Also the commits don't have your signed-off-by:
so I can't apply it.
thanks
-- PMM
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-04-03 11:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-13 13:42 [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Eduardo Otubo
2014-03-13 13:42 ` [Qemu-devel] [PULL 01/02] seccomp: add timerfd_create and timerfd_settime " Eduardo Otubo
2014-03-13 13:42 ` [Qemu-devel] [PULL 02/02] seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist Eduardo Otubo
2014-03-24 18:13 ` [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist Paul Moore
2014-04-01 13:06 ` Eduardo Otubo
2014-04-02 15:53 ` Paolo Bonzini
2014-04-03 11:14 ` Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.