* [Qemu-devel] seccomp missing calls in 2.7.0?
@ 2016-09-06 15:27 Brian Rak
2016-09-06 16:43 ` Eduardo Otubo
0 siblings, 1 reply; 7+ messages in thread
From: Brian Rak @ 2016-09-06 15:27 UTC (permalink / raw)
To: qemu-devel
I've been testing out 2.7.0 with seccomp support. Whenever I connect to
the VNC console, the process gets killed by the kernel. dmesg shows:
audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
syscall 98 appears to be getrusage, which does not appear in qemu-seccomp.c.
Is seccomp a supported feature these days? I'm guessing it does not get
a whole lot of use.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0?
2016-09-06 15:27 [Qemu-devel] seccomp missing calls in 2.7.0? Brian Rak
@ 2016-09-06 16:43 ` Eduardo Otubo
2016-09-07 19:55 ` Brian Rak
0 siblings, 1 reply; 7+ messages in thread
From: Eduardo Otubo @ 2016-09-06 16:43 UTC (permalink / raw)
To: Brian Rak, qemu-devel
This feature is enabled by default in virt-test/avocado and yes lots of
people use it.
Please send a patch and I'll merge it.
On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com> wrote:
> I've been testing out 2.7.0 with seccomp support. Whenever I connect to
> the VNC console, the process gets killed by the kernel. dmesg shows:
>
> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
> sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
>
> syscall 98 appears to be getrusage, which does not appear in
> qemu-seccomp.c.
>
> Is seccomp a supported feature these days? I'm guessing it does not get
> a whole lot of use.
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0?
2016-09-06 16:43 ` Eduardo Otubo
@ 2016-09-07 19:55 ` Brian Rak
2016-09-13 8:12 ` Eduardo Otubo
0 siblings, 1 reply; 7+ messages in thread
From: Brian Rak @ 2016-09-07 19:55 UTC (permalink / raw)
To: Eduardo Otubo, qemu-devel
--- src_clean/qemu-seccomp.c 2016-09-02 11:34:22.000000000 -0400
+++ src/qemu-seccomp.c 2016-09-06 11:28:23.189162653 -0400
@@ -65,6 +65,7 @@
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
{ SCMP_SYS(getrlimit), 245 },
+ { SCMP_SYS(getrusage), 245 },
{ SCMP_SYS(set_tid_address), 245 },
{ SCMP_SYS(statfs), 245 },
{ SCMP_SYS(unlink), 245 },
On 9/6/2016 12:43 PM, Eduardo Otubo wrote:
>
> This feature is enabled by default in virt-test/avocado and yes lots
> of people use it.
>
> Please send a patch and I'll merge it.
>
>
> On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com
> <mailto:brak@gameservers.com>> wrote:
>
> I've been testing out 2.7.0 with seccomp support. Whenever I
> connect to
> the VNC console, the process gets killed by the kernel. dmesg shows:
>
> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
> sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
>
> syscall 98 appears to be getrusage, which does not appear in
> qemu-seccomp.c.
>
> Is seccomp a supported feature these days? I'm guessing it does
> not get
> a whole lot of use.
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0?
2016-09-07 19:55 ` Brian Rak
@ 2016-09-13 8:12 ` Eduardo Otubo
2016-09-13 19:17 ` Brian Rak
0 siblings, 1 reply; 7+ messages in thread
From: Eduardo Otubo @ 2016-09-13 8:12 UTC (permalink / raw)
To: Brian Rak; +Cc: qemu-devel
On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak <brak@gameservers.com> wrote:
> --- src_clean/qemu-seccomp.c 2016-09-02 11:34:22.000000000 -0400
> +++ src/qemu-seccomp.c 2016-09-06 11:28:23.189162653 -0400
> @@ -65,6 +65,7 @@
> { SCMP_SYS(prctl), 245 },
> { SCMP_SYS(signalfd), 245 },
> { SCMP_SYS(getrlimit), 245 },
> + { SCMP_SYS(getrusage), 245 },
> { SCMP_SYS(set_tid_address), 245 },
> { SCMP_SYS(statfs), 245 },
> { SCMP_SYS(unlink), 245 },
Hi,
Care to send a proper commit message, stating the use case, issues, etc?
Thanks,
>
>
> On 9/6/2016 12:43 PM, Eduardo Otubo wrote:
>
> This feature is enabled by default in virt-test/avocado and yes lots of
> people use it.
>
> Please send a patch and I'll merge it.
>
>
> On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com> wrote:
>>
>> I've been testing out 2.7.0 with seccomp support. Whenever I connect to
>> the VNC console, the process gets killed by the kernel. dmesg shows:
>>
>> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
>> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
>> sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
>>
>> syscall 98 appears to be getrusage, which does not appear in
>> qemu-seccomp.c.
>>
>> Is seccomp a supported feature these days? I'm guessing it does not get
>> a whole lot of use.
>>
>>
>
--
Eduardo Otubo
ProfitBricks
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0?
2016-09-13 8:12 ` Eduardo Otubo
@ 2016-09-13 19:17 ` Brian Rak
2016-09-19 9:45 ` Markus Armbruster
0 siblings, 1 reply; 7+ messages in thread
From: Brian Rak @ 2016-09-13 19:17 UTC (permalink / raw)
To: Eduardo Otubo; +Cc: qemu-devel
getrusage is used in a number of places throughout the qemu codebase
(notably, in crypto/pbkdf.c).
Without this syscall being whitelisted, qemu ends up getting killed by
the kernel whenever you
try to connect to a VNC console.
---
qemu-seccomp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index cb569dc..df75d9c 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -65,6 +65,7 @@ static const struct QemuSeccompSyscall
seccomp_whitelist[] = {
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
{ SCMP_SYS(getrlimit), 245 },
+ { SCMP_SYS(getrusage), 245 },
{ SCMP_SYS(set_tid_address), 245 },
{ SCMP_SYS(statfs), 245 },
{ SCMP_SYS(unlink), 245 },
--
2.8.2
On 9/13/2016 4:12 AM, Eduardo Otubo wrote:
> On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak <brak@gameservers.com> wrote:
>> --- src_clean/qemu-seccomp.c 2016-09-02 11:34:22.000000000 -0400
>> +++ src/qemu-seccomp.c 2016-09-06 11:28:23.189162653 -0400
>> @@ -65,6 +65,7 @@
>> { SCMP_SYS(prctl), 245 },
>> { SCMP_SYS(signalfd), 245 },
>> { SCMP_SYS(getrlimit), 245 },
>> + { SCMP_SYS(getrusage), 245 },
>> { SCMP_SYS(set_tid_address), 245 },
>> { SCMP_SYS(statfs), 245 },
>> { SCMP_SYS(unlink), 245 },
> Hi,
>
> Care to send a proper commit message, stating the use case, issues, etc?
>
> Thanks,
>
>>
>> On 9/6/2016 12:43 PM, Eduardo Otubo wrote:
>>
>> This feature is enabled by default in virt-test/avocado and yes lots of
>> people use it.
>>
>> Please send a patch and I'll merge it.
>>
>>
>> On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com> wrote:
>>> I've been testing out 2.7.0 with seccomp support. Whenever I connect to
>>> the VNC console, the process gets killed by the kernel. dmesg shows:
>>>
>>> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
>>> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
>>> sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
>>>
>>> syscall 98 appears to be getrusage, which does not appear in
>>> qemu-seccomp.c.
>>>
>>> Is seccomp a supported feature these days? I'm guessing it does not get
>>> a whole lot of use.
>>>
>>>
>
>
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0?
2016-09-13 19:17 ` Brian Rak
@ 2016-09-19 9:45 ` Markus Armbruster
2016-09-19 9:47 ` Eduardo Otubo
0 siblings, 1 reply; 7+ messages in thread
From: Markus Armbruster @ 2016-09-19 9:45 UTC (permalink / raw)
To: Brian Rak; +Cc: Eduardo Otubo, qemu-devel
Brian Rak <brak@gameservers.com> writes:
> getrusage is used in a number of places throughout the qemu codebase
> (notably, in crypto/pbkdf.c).
> Without this syscall being whitelisted, qemu ends up getting killed by
> the kernel whenever you
> try to connect to a VNC console.
The body of the commit message now looks good to me, but the headline is
still off. It should be something like "seccomp: Add getrusage() to
whitelist".
Perhaps Eduardo is willing to touch it up on commit. If not, you need
to resend your patch as a top-level message (not in reply to anything)
with the subject fixed. Please consider using git-send-email. Thanks!
http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] seccomp missing calls in 2.7.0?
2016-09-19 9:45 ` Markus Armbruster
@ 2016-09-19 9:47 ` Eduardo Otubo
0 siblings, 0 replies; 7+ messages in thread
From: Eduardo Otubo @ 2016-09-19 9:47 UTC (permalink / raw)
To: Markus Armbruster; +Cc: Brian Rak, qemu-devel
[-- Attachment #1: Type: text/plain, Size: 995 bytes --]
On Mon, Sep 19, 2016 at 11=45=47AM +0200, Markus Armbruster wrote:
> Brian Rak <brak@gameservers.com> writes:
>
> > getrusage is used in a number of places throughout the qemu codebase
> > (notably, in crypto/pbkdf.c).
> > Without this syscall being whitelisted, qemu ends up getting killed by
> > the kernel whenever you
> > try to connect to a VNC console.
>
> The body of the commit message now looks good to me, but the headline is
> still off. It should be something like "seccomp: Add getrusage() to
> whitelist".
>
> Perhaps Eduardo is willing to touch it up on commit. If not, you need
> to resend your patch as a top-level message (not in reply to anything)
> with the subject fixed. Please consider using git-send-email. Thanks!
>
> http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches
Yep, that's not a problem now. I'll fix that. But yeah, please stick to
the guidelines next time :)
Regards,
--
Eduardo Otubo
ProfitBricks GmbH
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-09-19 9:48 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-06 15:27 [Qemu-devel] seccomp missing calls in 2.7.0? Brian Rak
2016-09-06 16:43 ` Eduardo Otubo
2016-09-07 19:55 ` Brian Rak
2016-09-13 8:12 ` Eduardo Otubo
2016-09-13 19:17 ` Brian Rak
2016-09-19 9:45 ` Markus Armbruster
2016-09-19 9:47 ` Eduardo Otubo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.