Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1004175

Summary: '-sandbox on' option cause qemu-kvm process hang
Product: Red Hat Enterprise Linux 7 Reporter: FuXiangChun <xfu>
Component: qemu-kvmAssignee: Paul Moore <pmoore>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: acathrow, eotubo, hhuang, juzhang, knoel, michen, pmoore, sluo, virt-maint, xfu
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm-1.5.3-10.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:50:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This patch adds times() syscall to the whitelist none

Description FuXiangChun 2013-09-04 07:13:03 UTC 
Description of problem:
Start qemu-kvm process with option "-sandbox on", It will cause qemu-kvm process hang. This is status of qemu-kvm process in host. 

#top -p `pidof qemu-kvm`
PID USER   PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                       
 7639 root 20   0       0      0      0 Z   0.0  0.0   0:00.09 qemu-kvm


Version-Release number of selected component (if applicable):
# uname -r
3.10.0-15.el7.x86_64
qemu-kvm-1.5.3-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1./usr/libexec/qemu-kvm -monitor stdio -vnc :1 -sandbox on
2.
3.

Actual results:
1.qemu-kvm hang

2.# ausearch -m SECCOMP
----
time->Wed Sep  4 10:13:24 2013
type=SECCOMP msg=audit(1378260804.512:543): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1927 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f772903315c code=0x0
----
time->Wed Sep  4 10:22:23 2013
type=SECCOMP msg=audit(1378261343.584:584): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fe97b75315c code=0x0
----
time->Wed Sep  4 10:23:20 2013
type=SECCOMP msg=audit(1378261400.252:620): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2037 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f888525715c code=0x0
----
time->Wed Sep  4 11:31:28 2013
type=SECCOMP msg=audit(1378265488.679:691): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2116 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f454e1b415c code=0x0
----
time->Wed Sep  4 11:39:13 2013
type=SECCOMP msg=audit(1378265953.838:692): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2182 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f4faeede15c code=0x0
----
time->Wed Sep  4 14:13:48 2013
type=SECCOMP msg=audit(1378275228.696:895): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=7278 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fd5ebad415c code=0x0


Expected results:
qemu-kvm works well

Additional info:
Comment 3 Paul Moore 2013-09-04 11:36:58 UTC 
I assume this is on x86_64?  If so, it looks like 'times()' is missing from the syscall filter.

 # scmp_sys_resolver -a x86_64 100
 times
Comment 4 Paul Moore 2013-09-04 12:20:22 UTC 
I just had an email exchange with the IBM developer who has been doing the bulk of the QEMU/seccomp development and he found the problem with times() just recently and expects to submit a patch upstream today.

Once the patch is accepted upstream I will backport it and submit it internally for RHEL7.
Comment 5 Eduardo Otubo 2013-09-04 12:51:59 UTC 
Created attachment 793658 [details]
This patch adds times() syscall to the whitelist
Comment 6 Eduardo Otubo 2013-09-04 12:52:39 UTC 
The above patch is also available in Qemu mailing list
http://lists.nongnu.org/archive/html/qemu-devel/2013-09/msg00774.html
Comment 7 Paul Moore 2013-09-04 14:12:08 UTC 
(In reply to Eduardo Otubo from comment #5)
> Created attachment 793658 [details]

I've just tested this patch and can verify that it solves the problem.
Comment 15 Paul Moore 2013-10-01 20:05:43 UTC 
Update: the patch has been pulled into a QEMU sub-tree by the QEMU/seccomp maintainer, currently waiting on the QEMU maintainer to pull from the QEMU/seccomp tree.
Comment 19 Eduardo Otubo 2013-10-11 12:40:14 UTC 
The remote branch has been merged and the fix is now available in the main tree - http://git.qemu.org/?p=qemu.git;a=commit;h=88b70e56b969142c88f240434f392b9348600ef5
Comment 20 Paul Moore 2013-10-11 13:41:02 UTC 
Thanks for the update Eduardo, but the BZ state should remain in POST.
Comment 21 Miroslav Rezanina 2013-10-17 10:01:21 UTC 
Fix included in qemu-kvm-1.5.3-10.el7
Comment 24 FuXiangChun 2013-10-28 01:59:59 UTC 
Verify this bug with qemu-kvm-rhev-1.5.3-10.el7.x86_64. 

According to Comment 0 test steps. Result: qemu-kvm and guest work well.
Comment 25 FuXiangChun 2013-10-28 02:01:53 UTC 
Base on test result of Comment 23 and Comment 24. This bug is fixed.
Comment 27 Ludek Smid 2014-06-13 12:50:51 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.