Bug 1752376
| Summary: | qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | Luyao Huang <lhuang> | |
| Component: | qemu-kvm | Assignee: | Eduardo Otubo <eterrell> | |
| qemu-kvm sub component: | General | QA Contact: | yduan | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | medium | |||
| Priority: | medium | CC: | berrange, coli, ddepaula, jinzhao, juzhang, ribarry, virt-maint, yduan | |
| Version: | 8.1 | Keywords: | Triaged | |
| Target Milestone: | rc | Flags: | knoel:
mirror+
|
|
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | qemu-kvm-5.1.0-8.module+el8.3.0+8141+3cd9cd43 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1880546 (view as bug list) | Environment: | ||
| Last Closed: | 2020-11-17 17:45:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1880546 | |||
QEMU has been recently split into sub-components and as a one-time operation to avoid breakage of tools, we are setting the QEMU sub-component of this BZ to "General". Please review and change the sub-component if necessary the next time you review this BZ. Thanks Dan - looks like your commit 9a1565a03b made this alteration in logic - perhaps an else {} should have been used...
Can we get a qa_ack+ please? Reproduced with qemu-kvm-5.1.0-7.module+el8.3.0+8099+dba2fe3e.x86_64 and verified with qemu-kvm-5.1.0-8.module+el8.3.0+8141+3cd9cd43.x86_64. The test step is described in comment 0. commit e474e3aacf4276eb0781d11c45e2fab996f9dc56 diff --git a/qemu-seccomp.c b/qemu-seccomp.c index e0a1829b3d..8325ecb766 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -136,8 +136,9 @@ static uint32_t qemu_seccomp_get_action(int set) if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { kill_process = 1; + } else { + kill_process = 0; } - kill_process = 0; } if (kill_process == 1) { return SCMP_ACT_KILL_PROCESS; Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5137 |
Description of problem: qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available Version-Release number of selected component (if applicable): qemu-kvm-4.1.0-9.module+el8.1.0+4210+23b2046a.x86_64 How reproducible: 100% Steps to Reproduce: 1. use gdb to start a guest which enable seccomp and set breakpoint at qemu_seccomp_get_action: # gdb /usr/libexec/qemu-kvm .... (gdb) br qemu_seccomp_get_action Breakpoint 1 at 0x4502d4: file qemu-seccomp.c, line 171. (gdb) r -sandbox on,obsolete=deny 2. check the qemu_seccomp_get_action return and qemu_seccomp return step by step 3. Actual results: qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available Expected results: qemu prefer SCMP_ACT_KILL_PROCESS if available Additional info: Check the source code of qemu-kvm /qemu-seccomp.c #if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \ defined(SECCOMP_RET_KILL_PROCESS) static int kill_process = -1; if (kill_process == -1) { uint32_t action = SECCOMP_RET_KILL_PROCESS; if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { kill_process = 1; } kill_process = 0; <-- this cause qemu never use SCMP_ACT_KILL_PROCESS } if (kill_process == 1) { return SCMP_ACT_KILL_PROCESS; <-- dead code } #endif return SCMP_ACT_TRAP; Check the commit 9a1565a03 which changed this place logic and I didn't see any reason to force use SCMP_ACT_TRAP.