Bug 1004175

Summary: '-sandbox on' option cause qemu-kvm process hang
Product: Red Hat Enterprise Linux 7 Reporter: FuXiangChun <xfu>
Component: qemu-kvmAssignee: Paul Moore <pmoore>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: acathrow, eotubo, hhuang, juzhang, knoel, michen, pmoore, sluo, virt-maint, xfu
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm-1.5.3-10.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:50:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This patch adds times() syscall to the whitelist none

Description FuXiangChun 2013-09-04 07:13:03 UTC 
Description of problem:
Start qemu-kvm process with option "-sandbox on", It will cause qemu-kvm process hang. This is status of qemu-kvm process in host. 

#top -p `pidof qemu-kvm`
PID USER   PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                       
 7639 root 20   0       0      0      0 Z   0.0  0.0   0:00.09 qemu-kvm


Version-Release number of selected component (if applicable):
# uname -r
3.10.0-15.el7.x86_64
qemu-kvm-1.5.3-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1./usr/libexec/qemu-kvm -monitor stdio -vnc :1 -sandbox on
2.
3.

Actual results:
1.qemu-kvm hang

2.# ausearch -m SECCOMP
----
time->Wed Sep  4 10:13:24 2013
type=SECCOMP msg=audit(1378260804.512:543): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1927 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f772903315c code=0x0
----
time->Wed Sep  4 10:22:23 2013
type=SECCOMP msg=audit(1378261343.584:584): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fe97b75315c code=0x0
----
time->Wed Sep  4 10:23:20 2013
type=SECCOMP msg=audit(1378261400.252:620): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2037 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f888525715c code=0x0
----
time->Wed Sep  4 11:31:28 2013
type=SECCOMP msg=audit(1378265488.679:691): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2116 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f454e1b415c code=0x0
----
time->Wed Sep  4 11:39:13 2013
type=SECCOMP msg=audit(1378265953.838:692): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2182 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f4faeede15c code=0x0
----
time->Wed Sep  4 14:13:48 2013
type=SECCOMP msg=audit(1378275228.696:895): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=7278 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fd5ebad415c code=0x0


Expected results:
qemu-kvm works well

Additional info:
Comment 3 Paul Moore 2013-09-04 11:36:58 UTC 
I assume this is on x86_64?  If so, it looks like 'times()' is missing from the syscall filter.

 # scmp_sys_resolver -a x86_64 100
 times
Comment 4 Paul Moore 2013-09-04 12:20:22 UTC 
I just had an email exchange with the IBM developer who has been doing the bulk of the QEMU/seccomp development and he found the problem with times() just recently and expects to submit a patch upstream today.

Once the patch is accepted upstream I will backport it and submit it internally for RHEL7.
Comment 5 Eduardo Otubo 2013-09-04 12:51:59 UTC 
Created attachment 793658 [details]
This patch adds times() syscall to the whitelist
Comment 6 Eduardo Otubo 2013-09-04 12:52:39 UTC 
The above patch is also available in Qemu mailing list
http://lists.nongnu.org/archive/html/qemu-devel/2013-09/msg00774.html
Comment 7 Paul Moore 2013-09-04 14:12:08 UTC 
(In reply to Eduardo Otubo from comment #5)
> Created attachment 793658 [details]

I've just tested this patch and can verify that it solves the problem.
Comment 15 Paul Moore 2013-10-01 20:05:43 UTC 
Update: the patch has been pulled into a QEMU sub-tree by the QEMU/seccomp maintainer, currently waiting on the QEMU maintainer to pull from the QEMU/seccomp tree.
Comment 19 Eduardo Otubo 2013-10-11 12:40:14 UTC 
The remote branch has been merged and the fix is now available in the main tree - http://git.qemu.org/?p=qemu.git;a=commit;h=88b70e56b969142c88f240434f392b9348600ef5
Comment 20 Paul Moore 2013-10-11 13:41:02 UTC 
Thanks for the update Eduardo, but the BZ state should remain in POST.
Comment 21 Miroslav Rezanina 2013-10-17 10:01:21 UTC 
Fix included in qemu-kvm-1.5.3-10.el7
Comment 24 FuXiangChun 2013-10-28 01:59:59 UTC 
Verify this bug with qemu-kvm-rhev-1.5.3-10.el7.x86_64. 

According to Comment 0 test steps. Result: qemu-kvm and guest work well.
Comment 25 FuXiangChun 2013-10-28 02:01:53 UTC 
Base on test result of Comment 23 and Comment 24. This bug is fixed.
Comment 27 Ludek Smid 2014-06-13 12:50:51 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.