Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 654374 Details for
Bug 855162
QEMU fails to start correctly via libvirt when seccomp/libseccomp sandboxing is enabled
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
qemu patch
0001-seccomp-adding-new-syscalls-bugzilla-855162.patch (text/plain), 8.18 KB, created by
Eduardo Otubo
on 2012-11-29 15:43:47 UTC
(
hide
)
Description:
qemu patch
Filename:
MIME Type:
Creator:
Eduardo Otubo
Created:
2012-11-29 15:43:47 UTC
Size:
8.18 KB
patch
obsolete
>From 0047a32d060de95faeaa74040136f1b22b71cbf6 Mon Sep 17 00:00:00 2001 >From: Eduardo Otubo <otubo@linux.vnet.ibm.com> >Date: Thu, 29 Nov 2012 04:11:53 -0200 >Subject: [PATCHv5] seccomp: adding new syscalls (bugzilla 855162) > >[not on qemu-devel yet] > >Paul, > >I finally found the missing syscall. Please take a look. If it works for you, >just let me know and I'll send it to the list. > >Again, thanks a lot for the help :-) > >--- >According to the bug 855162[0] - there's the need of adding new syscalls >to the whitelist when using Qemu with Libvirt. > >[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162 > >Reported-by: Paul Moore <pmoore@redhat.com> >Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> >Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com> >--- > qemu-seccomp.c | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++------ > 1 file changed, 139 insertions(+), 17 deletions(-) > >diff --git a/qemu-seccomp.c b/qemu-seccomp.c >index 64329a3..2a71d6f 100644 >--- a/qemu-seccomp.c >+++ b/qemu-seccomp.c >@@ -26,8 +26,12 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { > { SCMP_SYS(timer_gettime), 254 }, > { SCMP_SYS(futex), 253 }, > { SCMP_SYS(select), 252 }, >+#if defined(__x86_64__) > { SCMP_SYS(recvfrom), 251 }, > { SCMP_SYS(sendto), 250 }, >+#elif defined(__i386__) >+ { SCMP_SYS(socketcall), 250 }, >+#endif > { SCMP_SYS(read), 249 }, > { SCMP_SYS(brk), 248 }, > { SCMP_SYS(clone), 247 }, >@@ -36,15 +40,30 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { > { SCMP_SYS(execve), 245 }, > { SCMP_SYS(open), 245 }, > { SCMP_SYS(ioctl), 245 }, >+#if defined(__x86_64__) >+ { SCMP_SYS(socket), 245 }, >+ { SCMP_SYS(setsockopt), 245 }, > { SCMP_SYS(recvmsg), 245 }, > { SCMP_SYS(sendmsg), 245 }, > { SCMP_SYS(accept), 245 }, > { SCMP_SYS(connect), 245 }, >+ { SCMP_SYS(socketpair), 245 }, >+ { SCMP_SYS(bind), 245 }, >+ { SCMP_SYS(listen), 245 }, >+ { SCMP_SYS(semget), 245 }, >+#elif defined(__i386__) >+ { SCMP_SYS(ipc), 245 }, >+#endif > { SCMP_SYS(gettimeofday), 245 }, > { SCMP_SYS(readlink), 245 }, > { SCMP_SYS(access), 245 }, > { SCMP_SYS(prctl), 245 }, > { SCMP_SYS(signalfd), 245 }, >+ { SCMP_SYS(getrlimit), 245 }, >+ { SCMP_SYS(set_tid_address), 245 }, >+ { SCMP_SYS(statfs), 245 }, >+ { SCMP_SYS(unlink), 245 }, >+ { SCMP_SYS(wait4), 245 }, > #if defined(__i386__) > { SCMP_SYS(fcntl64), 245 }, > { SCMP_SYS(fstat64), 245 }, >@@ -56,30 +75,33 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { > { SCMP_SYS(sigreturn), 245 }, > { SCMP_SYS(_newselect), 245 }, > { SCMP_SYS(_llseek), 245 }, >- { SCMP_SYS(mmap2), 245}, >+ { SCMP_SYS(mmap2), 245 }, > { SCMP_SYS(sigprocmask), 245 }, >-#elif defined(__x86_64__) >- { SCMP_SYS(sched_getparam), 245}, >- { SCMP_SYS(sched_getscheduler), 245}, >- { SCMP_SYS(fstat), 245}, >- { SCMP_SYS(clock_getres), 245}, >- { SCMP_SYS(sched_get_priority_min), 245}, >- { SCMP_SYS(sched_get_priority_max), 245}, >- { SCMP_SYS(stat), 245}, >- { SCMP_SYS(socket), 245}, >- { SCMP_SYS(setsockopt), 245}, >- { SCMP_SYS(uname), 245}, >- { SCMP_SYS(semget), 245}, > #endif >+ { SCMP_SYS(sched_getparam), 245 }, >+ { SCMP_SYS(sched_getscheduler), 245 }, >+ { SCMP_SYS(fstat), 245 }, >+ { SCMP_SYS(clock_getres), 245 }, >+ { SCMP_SYS(sched_get_priority_min), 245 }, >+ { SCMP_SYS(sched_get_priority_max), 245 }, >+ { SCMP_SYS(stat), 245 }, >+ { SCMP_SYS(uname), 245 }, > { SCMP_SYS(eventfd2), 245 }, > { SCMP_SYS(dup), 245 }, >+ { SCMP_SYS(dup2), 245 }, >+ { SCMP_SYS(dup3), 245 }, > { SCMP_SYS(gettid), 245 }, >+ { SCMP_SYS(getgid), 245 }, >+ { SCMP_SYS(getegid), 245 }, >+ { SCMP_SYS(getuid), 245 }, >+ { SCMP_SYS(geteuid), 245 }, > { SCMP_SYS(timer_create), 245 }, > { SCMP_SYS(exit), 245 }, > { SCMP_SYS(clock_gettime), 245 }, > { SCMP_SYS(time), 245 }, > { SCMP_SYS(restart_syscall), 245 }, > { SCMP_SYS(pwrite64), 245 }, >+ { SCMP_SYS(nanosleep), 245 }, > { SCMP_SYS(chown), 245 }, > { SCMP_SYS(openat), 245 }, > { SCMP_SYS(getdents), 245 }, >@@ -93,8 +115,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { > { SCMP_SYS(lseek), 245 }, > { SCMP_SYS(pselect6), 245 }, > { SCMP_SYS(fork), 245 }, >- { SCMP_SYS(bind), 245 }, >- { SCMP_SYS(listen), 245 }, > { SCMP_SYS(eventfd), 245 }, > { SCMP_SYS(rt_sigprocmask), 245 }, > { SCMP_SYS(write), 244 }, >@@ -104,10 +124,112 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { > { SCMP_SYS(pipe2), 242 }, > { SCMP_SYS(munmap), 242 }, > { SCMP_SYS(mremap), 242 }, >+ { SCMP_SYS(fdatasync), 242 }, >+ { SCMP_SYS(close), 242 }, >+ { SCMP_SYS(rt_sigpending), 242 }, >+ { SCMP_SYS(rt_sigtimedwait), 242 }, >+ { SCMP_SYS(readv), 242 }, >+ { SCMP_SYS(writev), 242 }, >+ { SCMP_SYS(preadv), 242 }, >+ { SCMP_SYS(pwritev), 242 }, >+ { SCMP_SYS(setrlimit), 242 }, >+ { SCMP_SYS(ftruncate), 242 }, >+ { SCMP_SYS(lstat), 242 }, >+ { SCMP_SYS(pipe), 242 }, >+ { SCMP_SYS(umask), 242 }, >+ { SCMP_SYS(chdir), 242 }, >+ { SCMP_SYS(setitimer), 242 }, >+ { SCMP_SYS(setsid), 242 }, >+ { SCMP_SYS(poll), 242 }, >+ { SCMP_SYS(epoll_create), 242 }, >+ { SCMP_SYS(epoll_ctl), 242 }, >+ { SCMP_SYS(epoll_wait), 242 }, >+#if defined(__i386__) >+ { SCMP_SYS(waitpid), 242 }, >+#elif defined(__x86_64__) > { SCMP_SYS(getsockname), 242 }, > { SCMP_SYS(getpeername), 242 }, >- { SCMP_SYS(fdatasync), 242 }, >- { SCMP_SYS(close), 242 } >+ { SCMP_SYS(accept4), 242 }, >+ { SCMP_SYS(newfstatat), 241 }, >+ { SCMP_SYS(shutdown), 241 }, >+ { SCMP_SYS(getsockopt), 241 }, >+ { SCMP_SYS(semctl), 241 }, >+ { SCMP_SYS(semop), 241 }, >+ { SCMP_SYS(semtimedop), 241 }, >+ { SCMP_SYS(epoll_ctl_old), 241 }, >+ { SCMP_SYS(epoll_wait_old), 241 }, >+#endif >+ { SCMP_SYS(epoll_pwait), 241 }, >+ { SCMP_SYS(epoll_create1), 241 }, >+ { SCMP_SYS(ppoll), 241 }, >+ { SCMP_SYS(creat), 241 }, >+ { SCMP_SYS(link), 241 }, >+ { SCMP_SYS(getpid), 241 }, >+ { SCMP_SYS(getppid), 241 }, >+ { SCMP_SYS(getpgrp), 241 }, >+ { SCMP_SYS(getpgid), 241 }, >+ { SCMP_SYS(getsid), 241 }, >+ { SCMP_SYS(getdents64), 241 }, >+ { SCMP_SYS(getresuid), 241 }, >+ { SCMP_SYS(getresgid), 241 }, >+ { SCMP_SYS(getgroups), 241 }, >+#if defined(__i386__) >+ { SCMP_SYS(getresuid32), 241 }, >+ { SCMP_SYS(getresgid32), 241 }, >+ { SCMP_SYS(getgroups32), 241 }, >+ { SCMP_SYS(signal), 241 }, >+ { SCMP_SYS(sigaction), 241 }, >+ { SCMP_SYS(sigsuspend), 241 }, >+ { SCMP_SYS(sigpending), 241 }, >+ { SCMP_SYS(truncate64), 241 }, >+ { SCMP_SYS(ftruncate64), 241 }, >+ { SCMP_SYS(fchown32), 241 }, >+ { SCMP_SYS(chown32), 241 }, >+ { SCMP_SYS(lchown32), 241 }, >+ { SCMP_SYS(statfs64), 241 }, >+ { SCMP_SYS(fstatfs64), 241 }, >+ { SCMP_SYS(fstatat64), 241 }, >+ { SCMP_SYS(lstat64), 241 }, >+ { SCMP_SYS(sendfile64), 241 }, >+ { SCMP_SYS(ugetrlimit), 241 }, >+#endif >+ { SCMP_SYS(alarm), 241 }, >+ { SCMP_SYS(rt_sigsuspend), 241 }, >+ { SCMP_SYS(rt_sigqueueinfo), 241 }, >+ { SCMP_SYS(rt_tgsigqueueinfo), 241 }, >+ { SCMP_SYS(sigaltstack), 241 }, >+ { SCMP_SYS(signalfd4), 241 }, >+ { SCMP_SYS(truncate), 241 }, >+ { SCMP_SYS(fchown), 241 }, >+ { SCMP_SYS(lchown), 241 }, >+ { SCMP_SYS(fchownat), 241 }, >+ { SCMP_SYS(fstatfs), 241 }, >+ { SCMP_SYS(sendfile), 241 }, >+ { SCMP_SYS(getitimer), 241 }, >+ { SCMP_SYS(syncfs), 241 }, >+ { SCMP_SYS(fsync), 241 }, >+ { SCMP_SYS(fchdir), 241 }, >+ { SCMP_SYS(flock), 241 }, >+ { SCMP_SYS(msync), 241 }, >+ { SCMP_SYS(sched_setparam), 241 }, >+ { SCMP_SYS(sched_setscheduler), 241 }, >+ { SCMP_SYS(sched_yield), 241 }, >+ { SCMP_SYS(sched_rr_get_interval), 241 }, >+ { SCMP_SYS(sched_setaffinity), 241 }, >+ { SCMP_SYS(sched_getaffinity), 241 }, >+ { SCMP_SYS(readahead), 241 }, >+ { SCMP_SYS(timer_getoverrun), 241 }, >+ { SCMP_SYS(unlinkat), 241 }, >+ { SCMP_SYS(readlinkat), 241 }, >+ { SCMP_SYS(faccessat), 241 }, >+ { SCMP_SYS(get_robust_list), 241 }, >+ { SCMP_SYS(splice), 241 }, >+ { SCMP_SYS(vmsplice), 241 }, >+ { SCMP_SYS(getcpu), 241 }, >+ { SCMP_SYS(sendmmsg), 241 }, >+ { SCMP_SYS(recvmmsg), 241 }, >+ { SCMP_SYS(prlimit64), 241 }, >+ { SCMP_SYS(waitid), 241 } > }; > > int seccomp_start(void) >-- >1.7.10.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=654374">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 855162
:
610496
|
611560
|
614984
|
617756
| 654374