Bug 1004175 - '-sandbox on' option cause qemu-kvm process hang
'-sandbox on' option cause qemu-kvm process hang
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
7.0
x86_64 Linux
urgent Severity high
: rc
: ---
Assigned To: Paul Moore
Virtualization Bugs
: TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-04 03:13 EDT by FuXiangChun
Modified: 2014-06-17 23:37 EDT (History)
10 users (show)

See Also:
Fixed In Version: qemu-kvm-1.5.3-10.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:50:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This patch adds times() syscall to the whitelist (922 bytes, patch)
2013-09-04 08:51 EDT, Eduardo Otubo
no flags Details | Diff

  None (edit)
Description FuXiangChun 2013-09-04 03:13:03 EDT
Description of problem:
Start qemu-kvm process with option "-sandbox on", It will cause qemu-kvm process hang. This is status of qemu-kvm process in host. 

#top -p `pidof qemu-kvm`
PID USER   PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                       
 7639 root 20   0       0      0      0 Z   0.0  0.0   0:00.09 qemu-kvm


Version-Release number of selected component (if applicable):
# uname -r
3.10.0-15.el7.x86_64
qemu-kvm-1.5.3-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1./usr/libexec/qemu-kvm -monitor stdio -vnc :1 -sandbox on
2.
3.

Actual results:
1.qemu-kvm hang

2.# ausearch -m SECCOMP
----
time->Wed Sep  4 10:13:24 2013
type=SECCOMP msg=audit(1378260804.512:543): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1927 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f772903315c code=0x0
----
time->Wed Sep  4 10:22:23 2013
type=SECCOMP msg=audit(1378261343.584:584): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fe97b75315c code=0x0
----
time->Wed Sep  4 10:23:20 2013
type=SECCOMP msg=audit(1378261400.252:620): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2037 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f888525715c code=0x0
----
time->Wed Sep  4 11:31:28 2013
type=SECCOMP msg=audit(1378265488.679:691): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2116 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f454e1b415c code=0x0
----
time->Wed Sep  4 11:39:13 2013
type=SECCOMP msg=audit(1378265953.838:692): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2182 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f4faeede15c code=0x0
----
time->Wed Sep  4 14:13:48 2013
type=SECCOMP msg=audit(1378275228.696:895): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=7278 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fd5ebad415c code=0x0


Expected results:
qemu-kvm works well

Additional info:
Comment 3 Paul Moore 2013-09-04 07:36:58 EDT
I assume this is on x86_64?  If so, it looks like 'times()' is missing from the syscall filter.

 # scmp_sys_resolver -a x86_64 100
 times
Comment 4 Paul Moore 2013-09-04 08:20:22 EDT
I just had an email exchange with the IBM developer who has been doing the bulk of the QEMU/seccomp development and he found the problem with times() just recently and expects to submit a patch upstream today.

Once the patch is accepted upstream I will backport it and submit it internally for RHEL7.
Comment 5 Eduardo Otubo 2013-09-04 08:51:59 EDT
Created attachment 793658 [details]
This patch adds times() syscall to the whitelist
Comment 6 Eduardo Otubo 2013-09-04 08:52:39 EDT
The above patch is also available in Qemu mailing list
http://lists.nongnu.org/archive/html/qemu-devel/2013-09/msg00774.html
Comment 7 Paul Moore 2013-09-04 10:12:08 EDT
(In reply to Eduardo Otubo from comment #5)
> Created attachment 793658 [details]

I've just tested this patch and can verify that it solves the problem.
Comment 15 Paul Moore 2013-10-01 16:05:43 EDT
Update: the patch has been pulled into a QEMU sub-tree by the QEMU/seccomp maintainer, currently waiting on the QEMU maintainer to pull from the QEMU/seccomp tree.
Comment 19 Eduardo Otubo 2013-10-11 08:40:14 EDT
The remote branch has been merged and the fix is now available in the main tree - http://git.qemu.org/?p=qemu.git;a=commit;h=88b70e56b969142c88f240434f392b9348600ef5
Comment 20 Paul Moore 2013-10-11 09:41:02 EDT
Thanks for the update Eduardo, but the BZ state should remain in POST.
Comment 21 Miroslav Rezanina 2013-10-17 06:01:21 EDT
Fix included in qemu-kvm-1.5.3-10.el7
Comment 24 FuXiangChun 2013-10-27 21:59:59 EDT
Verify this bug with qemu-kvm-rhev-1.5.3-10.el7.x86_64. 

According to Comment 0 test steps. Result: qemu-kvm and guest work well.
Comment 25 FuXiangChun 2013-10-27 22:01:53 EDT
Base on test result of Comment 23 and Comment 24. This bug is fixed.
Comment 27 Ludek Smid 2014-06-13 08:50:51 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.