Bug 1004175 - '-sandbox on' option cause qemu-kvm process hang
Summary: '-sandbox on' option cause qemu-kvm process hang
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Paul Moore
QA Contact: Virtualization Bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2013-09-04 07:13 UTC by FuXiangChun
Modified: 2014-06-18 03:37 UTC (History)
10 users (show)

Fixed In Version: qemu-kvm-1.5.3-10.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-13 12:50:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
This patch adds times() syscall to the whitelist (922 bytes, patch)
2013-09-04 12:51 UTC, Eduardo Otubo
no flags Details | Diff

Description FuXiangChun 2013-09-04 07:13:03 UTC
Description of problem:
Start qemu-kvm process with option "-sandbox on", It will cause qemu-kvm process hang. This is status of qemu-kvm process in host. 

#top -p `pidof qemu-kvm`
PID USER   PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                       
 7639 root 20   0       0      0      0 Z   0.0  0.0   0:00.09 qemu-kvm

Version-Release number of selected component (if applicable):
# uname -r

How reproducible:

Steps to Reproduce:
1./usr/libexec/qemu-kvm -monitor stdio -vnc :1 -sandbox on

Actual results:
1.qemu-kvm hang

2.# ausearch -m SECCOMP
time->Wed Sep  4 10:13:24 2013
type=SECCOMP msg=audit(1378260804.512:543): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1927 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f772903315c code=0x0
time->Wed Sep  4 10:22:23 2013
type=SECCOMP msg=audit(1378261343.584:584): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1977 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fe97b75315c code=0x0
time->Wed Sep  4 10:23:20 2013
type=SECCOMP msg=audit(1378261400.252:620): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2037 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f888525715c code=0x0
time->Wed Sep  4 11:31:28 2013
type=SECCOMP msg=audit(1378265488.679:691): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2116 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f454e1b415c code=0x0
time->Wed Sep  4 11:39:13 2013
type=SECCOMP msg=audit(1378265953.838:692): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2182 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7f4faeede15c code=0x0
time->Wed Sep  4 14:13:48 2013
type=SECCOMP msg=audit(1378275228.696:895): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=7278 comm="qemu-kvm" sig=31 syscall=100 compat=0 ip=0x7fd5ebad415c code=0x0

Expected results:
qemu-kvm works well

Additional info:

Comment 3 Paul Moore 2013-09-04 11:36:58 UTC
I assume this is on x86_64?  If so, it looks like 'times()' is missing from the syscall filter.

 # scmp_sys_resolver -a x86_64 100

Comment 4 Paul Moore 2013-09-04 12:20:22 UTC
I just had an email exchange with the IBM developer who has been doing the bulk of the QEMU/seccomp development and he found the problem with times() just recently and expects to submit a patch upstream today.

Once the patch is accepted upstream I will backport it and submit it internally for RHEL7.

Comment 5 Eduardo Otubo 2013-09-04 12:51:59 UTC
Created attachment 793658 [details]
This patch adds times() syscall to the whitelist

Comment 6 Eduardo Otubo 2013-09-04 12:52:39 UTC
The above patch is also available in Qemu mailing list

Comment 7 Paul Moore 2013-09-04 14:12:08 UTC
(In reply to Eduardo Otubo from comment #5)
> Created attachment 793658 [details]

I've just tested this patch and can verify that it solves the problem.

Comment 15 Paul Moore 2013-10-01 20:05:43 UTC
Update: the patch has been pulled into a QEMU sub-tree by the QEMU/seccomp maintainer, currently waiting on the QEMU maintainer to pull from the QEMU/seccomp tree.

Comment 19 Eduardo Otubo 2013-10-11 12:40:14 UTC
The remote branch has been merged and the fix is now available in the main tree - http://git.qemu.org/?p=qemu.git;a=commit;h=88b70e56b969142c88f240434f392b9348600ef5

Comment 20 Paul Moore 2013-10-11 13:41:02 UTC
Thanks for the update Eduardo, but the BZ state should remain in POST.

Comment 21 Miroslav Rezanina 2013-10-17 10:01:21 UTC
Fix included in qemu-kvm-1.5.3-10.el7

Comment 24 FuXiangChun 2013-10-28 01:59:59 UTC
Verify this bug with qemu-kvm-rhev-1.5.3-10.el7.x86_64. 

According to Comment 0 test steps. Result: qemu-kvm and guest work well.

Comment 25 FuXiangChun 2013-10-28 02:01:53 UTC
Base on test result of Comment 23 and Comment 24. This bug is fixed.

Comment 27 Ludek Smid 2014-06-13 12:50:51 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.