[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v4 4/4] seccomp: set the seccomp filter to all t
From: |
Daniel P . Berrangé |
Subject: |
Re: [Qemu-devel] [PATCH v4 4/4] seccomp: set the seccomp filter to all threads |
Date: |
Wed, 22 Aug 2018 18:23:37 +0100 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Wed, Aug 22, 2018 at 07:02:50PM +0200, Marc-André Lureau wrote:
> When using "-seccomp on", the seccomp policy is only applied to the
> main thread, the vcpu worker thread and other worker threads created
> after seccomp policy is applied; the seccomp policy is not applied to
> e.g. the RCU thread because it is created before the seccomp policy is
> applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
>
> This can be verified with
> for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
> Seccomp: 2
> Seccomp: 0
> Seccomp: 0
> Seccomp: 2
> Seccomp: 2
> Seccomp: 2
>
> Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
> seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
> on all threads.
>
> libseccomp requirement was bumped to 2.2.0 in previous patch.
> libseccomp should fail to set the filter if it can't honour
> SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
> kernel < 3.17.
>
> Signed-off-by: Marc-André Lureau <address@hidden>
> ---
> qemu-seccomp.c | 5 +++++
> 1 file changed, 5 insertions(+)
Reviewed-by: Daniel P. Berrangé <address@hidden>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v4 0/4] seccomp fixes, Marc-André Lureau, 2018/08/22
- [Qemu-devel] [PATCH v4 1/4] seccomp: use SIGSYS signal instead of killing the thread, Marc-André Lureau, 2018/08/22
- [Qemu-devel] [PATCH v4 2/4] seccomp: prefer SCMP_ACT_KILL_PROCESS if available, Marc-André Lureau, 2018/08/22
- [Qemu-devel] [PATCH v4 4/4] seccomp: set the seccomp filter to all threads, Marc-André Lureau, 2018/08/22
- Re: [Qemu-devel] [PATCH v4 4/4] seccomp: set the seccomp filter to all threads,
Daniel P . Berrangé <=
- [Qemu-devel] [PATCH v4 3/4] configure: require libseccomp 2.2.0, Marc-André Lureau, 2018/08/22
- Re: [Qemu-devel] [PATCH v4 0/4] seccomp fixes, Eduardo Otubo, 2018/08/23