[Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist

[Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist

[Eduardo Otubo]

The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:

  Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream' into staging (2014-03-12 17:53:37 +0000)

are available in the git repository at:

  git://github.com/otubo/qemu.git seccomp

Felix Geyer (1):
      seccomp: add timerfd_create and timerfd_settime to the whitelist

Paul Moore (1):
      seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist

 qemu-seccomp.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

[Qemu-devel] [PULL 01/02] seccomp: add timerfd_create and timerfd_settime to the whitelist

[Eduardo Otubo]

From: Felix Geyer <debfx@fobos.de>

libusb calls timerfd_create() and timerfd_settime() when it's built with
timerfd support.

Command to reproduce:

       -device usb-host,hostbus=1,hostaddr=3,id=hostdev0

Log messages:

audit(1390730418.924:135): auid=4294967295 uid=121 gid=103 ses=4294967295
                           pid=5232 comm="qemu-system-x86" sig=31 syscall=283
                           compat=0 ip=0x7f2b0f4e96a7 code=0x0
audit(1390733100.580:142): auid=4294967295 uid=121 gid=103 ses=4294967295
                           pid=16909 comm="qemu-system-x86" sig=31 syscall=286
                           compat=0 ip=0x7f03513a06da code=0x0

Reading a few hundred MB from a USB drive on x86_64 shows this syscall distribution.
Therefore the timerfd_settime priority is set to 242.

    calls  syscall
 --------- ----------------
   5303600 write
   2240554 read
   2167030 ppoll
   2134828 ioctl
    704023 timerfd_settime
    689105 poll
     83122 futex
       803 writev
       476 rt_sigprocmask
       287 recvmsg
       178 brk

Signed-off-by: Felix Geyer <debfx@fobos.de>
Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 qemu-seccomp.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index caa926e..46554bd 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -143,6 +143,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(getsockname), 242 },
     { SCMP_SYS(getpeername), 242 },
     { SCMP_SYS(accept4), 242 },
+    { SCMP_SYS(timerfd_settime), 242 },
     { SCMP_SYS(newfstatat), 241 },
     { SCMP_SYS(shutdown), 241 },
     { SCMP_SYS(getsockopt), 241 },
@@ -225,7 +226,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(fchmod), 240 },
     { SCMP_SYS(shmget), 240 },
     { SCMP_SYS(shmat), 240 },
-    { SCMP_SYS(shmdt), 240 }
+    { SCMP_SYS(shmdt), 240 },
+    { SCMP_SYS(timerfd_create), 240 }
 };
 
 int seccomp_start(void)
-- 
1.7.1

[Qemu-devel] [PULL 02/02] seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist

[Eduardo Otubo]

From: Paul Moore <pmoore@redhat.com>

Additional testing reveals that PulseAudio requires shmctl() and the
mlock()/munlock() syscalls on some systems/configurations.  As before,
on systems that do require these syscalls, the problem can be seen with
the following command line:

  # qemu -monitor stdio  -sandbox on \
         -device intel-hda -device hda-duplex

Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 qemu-seccomp.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 46554bd..ea8094d 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -227,7 +227,10 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(shmget), 240 },
     { SCMP_SYS(shmat), 240 },
     { SCMP_SYS(shmdt), 240 },
-    { SCMP_SYS(timerfd_create), 240 }
+    { SCMP_SYS(timerfd_create), 240 },
+    { SCMP_SYS(shmctl), 240 },
+    { SCMP_SYS(mlock), 240 },
+    { SCMP_SYS(munlock), 240 }
 };
 
 int seccomp_start(void)
-- 
1.7.1

Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist

[Paul Moore]

On Thursday, March 13, 2014 10:42:42 AM Eduardo Otubo wrote:
> The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
> 
>   Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream'
> into staging (2014-03-12 17:53:37 +0000)
> 
> are available in the git repository at:
> 
>   git://github.com/otubo/qemu.git seccomp
> 
> Felix Geyer (1):
>       seccomp: add timerfd_create and timerfd_settime to the whitelist
> 
> Paul Moore (1):
>       seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist
> 
>  qemu-seccomp.c |    7 ++++++-
>  1 files changed, 6 insertions(+), 1 deletions(-)

Notice this still hasn't made it upstream and thought I would check to see 
where things stood ...

-- 
paul moore
security and virtualization @ redhat

Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist

[Eduardo Otubo]

On 03/24/2014 03:13 PM, Paul Moore wrote:
> On Thursday, March 13, 2014 10:42:42 AM Eduardo Otubo wrote:
>> The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
>>
>>    Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream'
>> into staging (2014-03-12 17:53:37 +0000)
>>
>> are available in the git repository at:
>>
>>    git://github.com/otubo/qemu.git seccomp
>>
>> Felix Geyer (1):
>>        seccomp: add timerfd_create and timerfd_settime to the whitelist
>>
>> Paul Moore (1):
>>        seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist
>>
>>   qemu-seccomp.c |    7 ++++++-
>>   1 files changed, 6 insertions(+), 1 deletions(-)
>
> Notice this still hasn't made it upstream and thought I would check to see
> where things stood ...
>

Not sure why it didn't get upstream yet.
Anthony, Peter, could you take a closer look at this?

Thanks!

-- 
Eduardo Otubo
IBM Linux Technology Center

Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist

[Paolo Bonzini]

Il 01/04/2014 15:06, Eduardo Otubo ha scritto:
>
> On 03/24/2014 03:13 PM, Paul Moore wrote:
>> On Thursday, March 13, 2014 10:42:42 AM Eduardo Otubo wrote:
>>> The following changes since commit
>>> 750036a848ea913ba6343718ffa70da98f7eef6b:
>>>
>>>    Merge remote-tracking branch
>>> 'remotes/afaerber/tags/prep-for-upstream'
>>> into staging (2014-03-12 17:53:37 +0000)
>>>
>>> are available in the git repository at:
>>>
>>>    git://github.com/otubo/qemu.git seccomp
>>>
>>> Felix Geyer (1):
>>>        seccomp: add timerfd_create and timerfd_settime to the whitelist
>>>
>>> Paul Moore (1):
>>>        seccomp: add shmctl(), mlock(), and munlock() to the syscall
>>> whitelist
>>>
>>>   qemu-seccomp.c |    7 ++++++-
>>>   1 files changed, 6 insertions(+), 1 deletions(-)
>>
>> Notice this still hasn't made it upstream and thought I would check to
>> see
>> where things stood ...
>>
>
> Not sure why it didn't get upstream yet.
> Anthony, Peter, could you take a closer look at this?

Peter filters on "for you to fetch changes up to" and your git didn't 
include it. :)

Paolo

Re: [Qemu-devel] [PULL 00/02] seccomp: adding new syscalls to the whitelist

[Peter Maydell]

On 2 April 2014 16:53, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Il 01/04/2014 15:06, Eduardo Otubo ha scritto:
>> Not sure why it didn't get upstream yet.
>> Anthony, Peter, could you take a closer look at this?
>
>
> Peter filters on "for you to fetch changes up to" and your git didn't
> include it. :)

Yes. Also the commits don't have your signed-off-by:
so I can't apply it.

thanks
-- PMM