qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 6f2231: seccomp: use SIGSYS signal instead of


From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 6f2231: seccomp: use SIGSYS signal instead of killing the ...
Date: Sat, 25 Aug 2018 05:50:36 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 6f2231e9b0931e1998d9ed0c509adf7aedc02db2
      
https://github.com/qemu/qemu/commit/6f2231e9b0931e1998d9ed0c509adf7aedc02db2
  Author: Marc-André Lureau <address@hidden>
  Date:   2018-08-23 (Thu, 23 Aug 2018)

  Changed paths:
    M qemu-seccomp.c

  Log Message:
  -----------
  seccomp: use SIGSYS signal instead of killing the thread

The seccomp action SCMP_ACT_KILL results in immediate termination of
the thread that made the bad system call. However, qemu being
multi-threaded, it keeps running. There is no easy way for parent
process / management layer (libvirt) to know about that situation.

Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP
will terminate the program and core dump.

This may not be the most secure solution, but probably better than
just killing the offending thread. SCMP_ACT_KILL_PROCESS has been
added in Linux 4.14 to improve the situation, which I propose to use
by default if available in the next patch.

Related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1594456

Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: Daniel P. Berrangé <address@hidden>
Acked-by: Eduardo Otubo <address@hidden>


  Commit: bda08a5764d470f101fa38635d30b41179a313e1
      
https://github.com/qemu/qemu/commit/bda08a5764d470f101fa38635d30b41179a313e1
  Author: Marc-André Lureau <address@hidden>
  Date:   2018-08-23 (Thu, 23 Aug 2018)

  Changed paths:
    M qemu-seccomp.c

  Log Message:
  -----------
  seccomp: prefer SCMP_ACT_KILL_PROCESS if available

The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (https://github.com/seccomp/libseccomp/issues/96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: Daniel P. Berrangé <address@hidden>
Acked-by: Eduardo Otubo <address@hidden>


  Commit: d0699bd37c48067cffbd80383172efc29da6d2f9
      
https://github.com/qemu/qemu/commit/d0699bd37c48067cffbd80383172efc29da6d2f9
  Author: Marc-André Lureau <address@hidden>
  Date:   2018-08-23 (Thu, 23 Aug 2018)

  Changed paths:
    M configure

  Log Message:
  -----------
  configure: require libseccomp 2.2.0

The following patch is going to require TSYNC, which is only available
since libseccomp 2.2.0.

libseccomp 2.2.0 was released February 12, 2015.

According to repology, libseccomp version in different distros:

  RHEL-7: 2.3.1
  Debian (Stretch): 2.3.1
  OpenSUSE Leap 15: 2.3.2
  Ubuntu (Xenial):  2.3.1

This will drop support for -sandbox on:

  Debian (Jessie): 2.1.1 (but 2.2.3 in backports)

Signed-off-by: Marc-André Lureau <address@hidden>
Acked-by: Eduardo Otubo <address@hidden>


  Commit: 70dfabeaa79ba4d7a3b699abe1a047c8012db114
      
https://github.com/qemu/qemu/commit/70dfabeaa79ba4d7a3b699abe1a047c8012db114
  Author: Marc-André Lureau <address@hidden>
  Date:   2018-08-23 (Thu, 23 Aug 2018)

  Changed paths:
    M qemu-seccomp.c

  Log Message:
  -----------
  seccomp: set the seccomp filter to all threads

When using "-seccomp on", the seccomp policy is only applied to the
main thread, the vcpu worker thread and other worker threads created
after seccomp policy is applied; the seccomp policy is not applied to
e.g. the RCU thread because it is created before the seccomp policy is
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.

This can be verified with
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
Seccomp:        2
Seccomp:        0
Seccomp:        0
Seccomp:        2
Seccomp:        2
Seccomp:        2

Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
on all threads.

libseccomp requirement was bumped to 2.2.0 in previous patch.
libseccomp should fail to set the filter if it can't honour
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
kernel < 3.17.

Signed-off-by: Marc-André Lureau <address@hidden>
Acked-by: Eduardo Otubo <address@hidden>


  Commit: 235c82acca0491465e94be3cae2583b42d37c859
      
https://github.com/qemu/qemu/commit/235c82acca0491465e94be3cae2583b42d37c859
  Author: Peter Maydell <address@hidden>
  Date:   2018-08-25 (Sat, 25 Aug 2018)

  Changed paths:
    M configure
    M qemu-seccomp.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20180823' into 
staging

pull-seccomp-20180823

# gpg: Signature made Thu 23 Aug 2018 15:46:13 BST
# gpg:                using RSA key DF32E7C0F0FFF9A2
# gpg: Good signature from "Eduardo Otubo (Senior Software Engineer) 
<address@hidden>"
# Primary key fingerprint: D67E 1B50 9374 86B4 0723  DBAB DF32 E7C0 F0FF F9A2

* remotes/otubo/tags/pull-seccomp-20180823:
  seccomp: set the seccomp filter to all threads
  configure: require libseccomp 2.2.0
  seccomp: prefer SCMP_ACT_KILL_PROCESS if available
  seccomp: use SIGSYS signal instead of killing the thread

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/17182bb47fe6...235c82acca04
      **NOTE:** This service has been marked for deprecation: 
https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]