Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
FangSoftSoft
/
qemu
-ын хуулбар https://github.com/utmapp/qemu.git
2
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Эх сурвалжийг харах

seccomp: report EPERM instead of killing process for spawn set

When something tries to run one of the spawn syscalls (eg clone),
our seccomp deny filter is set to cause a fatal trap which kills
the process.

This is found to be unhelpful when QEMU has loaded the nvidia
GL library. This tries to spawn a process to modprobe the nvidia
kmod. This is a dubious thing to do, but at the same time, the
code will gracefully continue if this fails. Our seccomp filter
rightly blocks the spawning, but prevent the graceful continue.

Switching to reporting EPERM will make QEMU behave more gracefully
without impacting the level of protect we have.

https://gitlab.com/qemu-project/qemu/-/issues/2116
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Daniel P. Berrangé 1 жил өмнө
parent
c62d54d0a8
commit
e79f8b8b2d
1 өөрчлөгдсөн 5 нэмэгдсэн , 5 устгасан
Өөрчлөллтийг нэгтгэж харах Өөрчлөлтийн статистик харах
  1. 5 5
      system/qemu-seccomp.c

+ 5 - 5
system/qemu-seccomp.c
Файл харах 

@@ -74,7 +74,7 @@ const struct scmp_arg_cmp sched_setscheduler_arg[] = {
 
 
 
 #define RULE_CLONE_FLAG(flag) \
 
 #define RULE_CLONE_FLAG(flag) \
 
     { SCMP_SYS(clone),                  QEMU_SECCOMP_SET_SPAWN, \
 
     { SCMP_SYS(clone),                  QEMU_SECCOMP_SET_SPAWN, \
 
-      ARRAY_SIZE(clone_arg ## flag), clone_arg ## flag, SCMP_ACT_TRAP }
 
+      ARRAY_SIZE(clone_arg ## flag), clone_arg ## flag, SCMP_ACT_ERRNO(EPERM) }
 
 
 
 /* If no CLONE_* flags are set, except CSIGNAL, deny */
 
 /* If no CLONE_* flags are set, except CSIGNAL, deny */
 
 const struct scmp_arg_cmp clone_arg_none[] = {
 
 const struct scmp_arg_cmp clone_arg_none[] = {
 
@@ -214,13 +214,13 @@ static const struct QemuSeccompSyscall denylist[] = {
 
       0, NULL, SCMP_ACT_TRAP },
 
       0, NULL, SCMP_ACT_TRAP },
 
     /* spawn */
 
     /* spawn */
 
     { SCMP_SYS(fork),                   QEMU_SECCOMP_SET_SPAWN,
 
     { SCMP_SYS(fork),                   QEMU_SECCOMP_SET_SPAWN,
 
-      0, NULL, SCMP_ACT_TRAP },
 
+      0, NULL, SCMP_ACT_ERRNO(EPERM) },
 
     { SCMP_SYS(vfork),                  QEMU_SECCOMP_SET_SPAWN,
 
     { SCMP_SYS(vfork),                  QEMU_SECCOMP_SET_SPAWN,
 
-      0, NULL, SCMP_ACT_TRAP },
 
+      0, NULL, SCMP_ACT_ERRNO(EPERM) },
 
     { SCMP_SYS(execve),                 QEMU_SECCOMP_SET_SPAWN,
 
     { SCMP_SYS(execve),                 QEMU_SECCOMP_SET_SPAWN,
 
-      0, NULL, SCMP_ACT_TRAP },
 
+      0, NULL, SCMP_ACT_ERRNO(EPERM) },
 
     { SCMP_SYS(clone),                  QEMU_SECCOMP_SET_SPAWN,
 
     { SCMP_SYS(clone),                  QEMU_SECCOMP_SET_SPAWN,
 
-      ARRAY_SIZE(clone_arg_none), clone_arg_none, SCMP_ACT_TRAP },
 
+      ARRAY_SIZE(clone_arg_none), clone_arg_none, SCMP_ACT_ERRNO(EPERM) },
 
     RULE_CLONE_FLAG(CLONE_VM),
 
     RULE_CLONE_FLAG(CLONE_VM),
 
     RULE_CLONE_FLAG(CLONE_FS),
 
     RULE_CLONE_FLAG(CLONE_FS),
 
     RULE_CLONE_FLAG(CLONE_FILES),
 
     RULE_CLONE_FLAG(CLONE_FILES),