1004175 – '-sandbox on' option cause qemu-kvm process hang

Bug 1004175 - '-sandbox on' option cause qemu-kvm process hang

Summary: '-sandbox on' option cause qemu-kvm process hang

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Moore
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-04 07:13 UTC by FuXiangChun
Modified:	2014-06-18 03:37 UTC (History)
CC List:	10 users (show)
Fixed In Version:	qemu-kvm-1.5.3-10.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:50:51 UTC
Target Upstream Version:

Attachments	(Terms of Use)
This patch adds times() syscall to the whitelist (922 bytes, patch) 2013-09-04 12:51 UTC, Eduardo Otubo	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description FuXiangChun 2013-09-04 07:13:03 UTC

Description of problem:
Start qemu-kvm process with option "-sandbox on", It will cause qemu-kvm process hang. This is status of qemu-kvm process in host. 

#top -p `pidof qemu-kvm`
PID USER   PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                       
 7639 root 20   0       0      0      0 Z   0.0  0.0   0:00.09 qemu-kvm


Version-Release number of selected component (if applicable):
# uname -r
3.10.0-15.el7.x86_64
qemu-kvm-1.5.3-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1./usr/libexec/qemu-kvm -monitor stdio -vnc :1 -sandbox on
2.
3.

Actual results:
1.qemu-kvm hang

2.# ausearch -m SECCOMP
----
time->Wed Sep  4 10:13:24 2013
type=SECCOMP msg=audit(1378260804.512:543): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1927 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f772903315c code=0x0
----
time->Wed Sep  4 10:22:23 2013
type=SECCOMP msg=audit(1378261343.584:584): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fe97b75315c code=0x0
----
time->Wed Sep  4 10:23:20 2013
type=SECCOMP msg=audit(1378261400.252:620): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2037 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f888525715c code=0x0
----
time->Wed Sep  4 11:31:28 2013
type=SECCOMP msg=audit(1378265488.679:691): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2116 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f454e1b415c code=0x0
----
time->Wed Sep  4 11:39:13 2013
type=SECCOMP msg=audit(1378265953.838:692): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2182 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f4faeede15c code=0x0
----
time->Wed Sep  4 14:13:48 2013
type=SECCOMP msg=audit(1378275228.696:895): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=7278 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fd5ebad415c code=0x0


Expected results:
qemu-kvm works well

Additional info:

Comment 3 Paul Moore 2013-09-04 11:36:58 UTC

I assume this is on x86_64?  If so, it looks like 'times()' is missing from the syscall filter.

 # scmp_sys_resolver -a x86_64 100
 times

Comment 4 Paul Moore 2013-09-04 12:20:22 UTC

I just had an email exchange with the IBM developer who has been doing the bulk of the QEMU/seccomp development and he found the problem with times() just recently and expects to submit a patch upstream today.

Once the patch is accepted upstream I will backport it and submit it internally for RHEL7.

Comment 5 Eduardo Otubo 2013-09-04 12:51:59 UTC

Created attachment 793658 [details]
This patch adds times() syscall to the whitelist

Comment 6 Eduardo Otubo 2013-09-04 12:52:39 UTC

The above patch is also available in Qemu mailing list
http://lists.nongnu.org/archive/html/qemu-devel/2013-09/msg00774.html

Comment 7 Paul Moore 2013-09-04 14:12:08 UTC

(In reply to Eduardo Otubo from comment #5)
> Created attachment 793658 [details]

I've just tested this patch and can verify that it solves the problem.

Comment 15 Paul Moore 2013-10-01 20:05:43 UTC

Update: the patch has been pulled into a QEMU sub-tree by the QEMU/seccomp maintainer, currently waiting on the QEMU maintainer to pull from the QEMU/seccomp tree.

Comment 19 Eduardo Otubo 2013-10-11 12:40:14 UTC

The remote branch has been merged and the fix is now available in the main tree - http://git.qemu.org/?p=qemu.git;a=commit;h=88b70e56b969142c88f240434f392b9348600ef5

Comment 20 Paul Moore 2013-10-11 13:41:02 UTC

Thanks for the update Eduardo, but the BZ state should remain in POST.

Comment 21 Miroslav Rezanina 2013-10-17 10:01:21 UTC

Fix included in qemu-kvm-1.5.3-10.el7

Comment 24 FuXiangChun 2013-10-28 01:59:59 UTC

Verify this bug with qemu-kvm-rhev-1.5.3-10.el7.x86_64. 

According to Comment 0 test steps. Result: qemu-kvm and guest work well.

Comment 25 FuXiangChun 2013-10-28 02:01:53 UTC

Base on test result of Comment 23 and Comment 24. This bug is fixed.

Comment 27 Ludek Smid 2014-06-13 12:50:51 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.