Bug 1072234
| Summary: | ' getrusage ' is not in the 'seccomp_whitelist' of qemu-seccomp.c , which openvswitch use it to add port to bridge | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Qian Guo <qiguo> | ||||
| Component: | qemu-kvm | Assignee: | Paul Moore <pmoore> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | acathrow, hhuang, juzhang, michen, pbonzini, pmoore, qiguo, virt-maint, xuhan | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-03-06 16:51:55 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Thanks for the strace output, that helps. I'm readying a patch right now and have should a test kernel for you shortly. Created attachment 871128 [details] 01-bz1072234.patch Please let me know if this patch fixes the problem. (In reply to Paul Moore from comment #5) > Please let me know if this patch fixes the problem. Hi Paul Test your build, this bug has gone, details as following: # rpm -q qemu-kvm qemu-kvm-1.5.3-52.bz1072234.1.el7.x86_64 steps: 1.Check the system call 'getrusage' in whitelist: # grep getrusage /usr/src/debug/qemu-1.5.3/qemu-seccomp.c { SCMP_SYS(getrusage), 240 } 2.Try to boot ovs backend guest with sandbox /usr/libexec/qemu-kvm -cpu Penryn -m 4G -smp 4,sockets=1,cores=4,threads=1 -M pc -enable-kvm -name testovs -drive file=/home/rhel7/rhel7basecp1.qcow2_v3,if=none,format=qcow2,werror=stop,rerror=stop,media=disk,id=drive-blk0-disk0 -device virtio-blk-pci,drive=drive-blk0-disk0,id=virtio-disk0 -nodefaults -nodefconfig -monitor stdio -netdev tap,id=hostdev0,vhost=on,script=/etc/ovs-ifup,downscript=/etc/ovs-ifdown -device virtio-net-pci,netdev=hostdev0,status=off,mac=54:52:1a:46:0b:01,id=vnet0 -spice port=5900,disable-ticketing -global qxl-vga.vram_size=67108864 -vga qxl -boot menu=on -device virtio-balloon-pci,id=balloon1 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -qmp tcp:0:4444,server,nowait -monitor stdio -sandbox on Result: guest can bootup successfully and network works well. So your build can fix this bug thanks, (In reply to Qian Guo from comment #6) > (In reply to Paul Moore from comment #5) > > Please let me know if this patch fixes the problem. > > Hi Paul > > Test your build, this bug has gone, details as following: > ... > Result: guest can bootup successfully and network works well. > > So your build can fix this bug Thanks for testing, I've posted the patch upstream and will submit it internally as soon as it is merged into the QEMU upstream. Upstream posting: * http://marc.info/?l=qemu-devel&m=139411830413099&w=2 According to upstream Open vSwitch should not be used in this manner, fd passing should be used instead: "... when QEMU is used in sandbox mode you should use file descriptor passing instead." * http://marc.info/?l=qemu-devel&m=139412226414742&w=2 (In reply to Paul Moore from comment #9) > According to upstream Open vSwitch should not be used in this manner, fd > passing should be used instead: > > "... when QEMU is used in sandbox mode you should use file descriptor > passing instead." > > * http://marc.info/?l=qemu-devel&m=139412226414742&w=2 Hi, Paul Thanks for explanation, but I think we should set this bug as won't fix, since we qe always need manully boot up guest w/o fd , so we should set this bug as won't fix and I will highlight it in our testing. Are you agree? thanks Not a problem, I'll change that now. |
Description of problem: Can not boot up qemu with ovs backend and with sandbox on, I just check the whitelist and the strace of "ovs-vsctl add-port ...", found that "getrusage" is used by this command but not included in qemu seccomp_whitelist by default. Please feel free to correct me if anything wrong I made Version-Release number of selected component (if applicable): # rpm -q qemu-kvm-rhev qemu-kvm-rhev-1.5.3-50.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.Try to boot guest based ovs bridge backend and sandbox on # /usr/libexec/qemu-kvm -cpu Penryn -m 4G -smp 4,sockets=1,cores=4,threads=1 -M pc -enable-kvm -name testovs -drive file=/home/rhel7/rhel7basecp1.qcow2_v3,if=none,format=qcow2,werror=stop,rerror=stop,media=disk,id=drive-blk0-disk0 -device virtio-blk-pci,drive=drive-blk0-disk0,id=virtio-disk0 -nodefaults -nodefconfig -monitor stdio -netdev tap,id=hostdev0,vhost=on,script=/etc/ovs-ifup,downscript=/etc/ovs-ifdown -device virtio-net-pci,netdev=hostdev0,status=off,mac=54:52:1a:46:0b:01,id=vnet0 -spice port=5900,disable-ticketing -global qxl-vga.vram_size=67108864 -vga qxl -boot menu=on -device virtio-balloon-pci,id=balloon1 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -qmp tcp:0:4444,server,nowait -monitor stdio -sandbox on 2. 3. Actual results: can not boot up and qemu quit with following: /etc/ovs-ifup: line 4: 21479 Bad system call ovs-vsctl add-port ${switch} $1 /etc/ovs-ifup: could not launch network script qemu-kvm: -netdev tap,id=hostdev0,vhost=on,script=/etc/ovs-ifup,downscript=/etc/ovs-ifdown: Device 'tap' could not be initialized # ausearch -m SECCOMP ... ---- time->Tue Mar 4 15:08:38 2014 type=SECCOMP msg=audit(1393916918.604:2199): auid=0 uid=0 gid=0 ses=189 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=21479 comm="ovs-vsctl" sig=31 syscall=98 compat=0 ip=0x7f376752cf07 code=0x0 ... Expected results: ovs and sandbox can work together Additional info: Checked what ovs-vsctl add-port do: execve("/usr/bin/ovs-vsctl", ["ovs-vsctl", "add-port", "ovs0", "tap0"], [/* 25 vars */]) = 0 brk(0) = 0x7f4b35be5000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ed6000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=70323, ...}) = 0 mmap(NULL, 70323, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4b33ec4000 close(3) = 0 open("/lib64/libssl.so.10", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\203\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=445560, ...}) = 0 mmap(NULL, 2536528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b33a4b000 mprotect(0x7f4b33aad000, 2093056, PROT_NONE) = 0 mmap(0x7f4b33cac000, 45056, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x61000) = 0x7f4b33cac000 close(3) = 0 open("/lib64/libcrypto.so.10", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@~\6\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2004576, ...}) = 0 mmap(NULL, 4083576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b33666000 mprotect(0x7f4b33821000, 2097152, PROT_NONE) = 0 mmap(0x7f4b33a21000, 155648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bb000) = 0x7f4b33a21000 mmap(0x7f4b33a47000, 16248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4b33a47000 close(3) = 0 open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240l\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=141616, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ec3000 mmap(NULL, 2208864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b3344a000 mprotect(0x7f4b33460000, 2097152, PROT_NONE) = 0 mmap(0x7f4b33660000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f4b33660000 mmap(0x7f4b33662000, 13408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4b33662000 close(3) = 0 open("/lib64/librt.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\"\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=44048, ...}) = 0 mmap(NULL, 2128952, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b33242000 mprotect(0x7f4b33249000, 2093056, PROT_NONE) = 0 mmap(0x7f4b33448000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f4b33448000 close(3) = 0 open("/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260T\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1141552, ...}) = 0 mmap(NULL, 3150168, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b32f40000 mprotect(0x7f4b33041000, 2093056, PROT_NONE) = 0 mmap(0x7f4b33240000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x100000) = 0x7f4b33240000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\34\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2107760, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ec2000 mmap(NULL, 3932736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b32b7f000 mprotect(0x7f4b32d35000, 2097152, PROT_NONE) = 0 mmap(0x7f4b32f35000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b6000) = 0x7f4b32f35000 mmap(0x7f4b32f3b000, 16960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4b32f3b000 close(3) = 0 open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\273\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=308024, ...}) = 0 mmap(NULL, 2398304, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b32935000 mprotect(0x7f4b3297c000, 2097152, PROT_NONE) = 0 mmap(0x7f4b32b7c000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x47000) = 0x7f4b32b7c000 close(3) = 0 open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`F\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=925048, ...}) = 0 mmap(NULL, 3008608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b32656000 mprotect(0x7f4b32726000, 2093056, PROT_NONE) = 0 mmap(0x7f4b32925000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xcf000) = 0x7f4b32925000 close(3) = 0 open("/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=15840, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ec1000 mmap(NULL, 2109928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b32452000 mprotect(0x7f4b32455000, 2093056, PROT_NONE) = 0 mmap(0x7f4b32654000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f4b32654000 close(3) = 0 open("/lib64/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PG\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=214824, ...}) = 0 mmap(NULL, 2310640, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b3221d000 mprotect(0x7f4b3224f000, 2093056, PROT_NONE) = 0 mmap(0x7f4b3244e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x31000) = 0x7f4b3244e000 mmap(0x7f4b32451000, 496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4b32451000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=19512, ...}) = 0 mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b32019000 mprotect(0x7f4b3201c000, 2093056, PROT_NONE) = 0 mmap(0x7f4b3221b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f4b3221b000 close(3) = 0 open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p!\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=90632, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ec0000 mmap(NULL, 2183688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b31e03000 mprotect(0x7f4b31e18000, 2093056, PROT_NONE) = 0 mmap(0x7f4b32017000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x7f4b32017000 close(3) = 0 open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3405\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=58480, ...}) = 0 mmap(NULL, 2152008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b31bf5000 mprotect(0x7f4b31c02000, 2093056, PROT_NONE) = 0 mmap(0x7f4b31e01000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f4b31e01000 close(3) = 0 open("/lib64/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=15688, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ebf000 mmap(NULL, 2109720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b319f1000 mprotect(0x7f4b319f4000, 2093056, PROT_NONE) = 0 mmap(0x7f4b31bf3000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f4b31bf3000 close(3) = 0 open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@:\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=110808, ...}) = 0 mmap(NULL, 2202264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b317d7000 mprotect(0x7f4b317ed000, 2097152, PROT_NONE) = 0 mmap(0x7f4b319ed000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f4b319ed000 mmap(0x7f4b319ef000, 6808, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4b319ef000 close(3) = 0 open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240d\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=143016, ...}) = 0 mmap(NULL, 2242728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b315b3000 mprotect(0x7f4b315d4000, 2093056, PROT_NONE) = 0 mmap(0x7f4b317d3000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x20000) = 0x7f4b317d3000 mmap(0x7f4b317d5000, 6312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4b317d5000 close(3) = 0 open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=398264, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ebe000 mmap(NULL, 2490888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b31352000 mprotect(0x7f4b313b1000, 2097152, PROT_NONE) = 0 mmap(0x7f4b315b1000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5f000) = 0x7f4b315b1000 close(3) = 0 open("/lib64/liblzma.so.5", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000/\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=153184, ...}) = 0 mmap(NULL, 2245240, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4b3112d000 mprotect(0x7f4b31151000, 2093056, PROT_NONE) = 0 mmap(0x7f4b31350000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x23000) = 0x7f4b31350000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ebd000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ebc000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33eba000 arch_prctl(ARCH_SET_FS, 0x7f4b33eba980) = 0 mprotect(0x7f4b32f35000, 16384, PROT_READ) = 0 mprotect(0x7f4b33660000, 4096, PROT_READ) = 0 mprotect(0x7f4b31350000, 4096, PROT_READ) = 0 mprotect(0x7f4b315b1000, 4096, PROT_READ) = 0 mprotect(0x7f4b3221b000, 4096, PROT_READ) = 0 mprotect(0x7f4b317d3000, 4096, PROT_READ) = 0 mprotect(0x7f4b319ed000, 4096, PROT_READ) = 0 mprotect(0x7f4b31bf3000, 4096, PROT_READ) = 0 mprotect(0x7f4b31e01000, 4096, PROT_READ) = 0 mprotect(0x7f4b32017000, 4096, PROT_READ) = 0 mprotect(0x7f4b3244e000, 8192, PROT_READ) = 0 mprotect(0x7f4b32654000, 4096, PROT_READ) = 0 mprotect(0x7f4b32925000, 53248, PROT_READ) = 0 mprotect(0x7f4b32b7c000, 4096, PROT_READ) = 0 mprotect(0x7f4b33240000, 4096, PROT_READ) = 0 mprotect(0x7f4b33448000, 4096, PROT_READ) = 0 mprotect(0x7f4b33a21000, 106496, PROT_READ) = 0 mprotect(0x7f4b33cac000, 16384, PROT_READ) = 0 mprotect(0x7f4b341c6000, 28672, PROT_READ) = 0 mprotect(0x7f4b33ed7000, 4096, PROT_READ) = 0 munmap(0x7f4b33ec4000, 70323) = 0 set_tid_address(0x7f4b33ebac50) = 21572 set_robust_list(0x7f4b33ebac60, 24) = 0 rt_sigaction(SIGRTMIN, {0x7f4b33450780, [], SA_RESTORER|SA_SIGINFO, 0x7f4b33459130}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f4b33450810, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f4b33459130}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 brk(0) = 0x7f4b35be5000 brk(0x7f4b35c06000) = 0x7f4b35c06000 access("/etc/system-fips", F_OK) = -1 ENOENT (No such file or directory) rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7f4b32bb4a00}, {SIG_IGN, [], 0}, 8) = 0 open("/dev/urandom", O_RDONLY) = 3 read(3, "h`\350\340", 4) = 4 close(3) = 0 socket(PF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = 0 rt_sigaction(SIGALRM, {0x7f4b33f06f00, [], SA_RESTORER|SA_RESTART, 0x7f4b33459130}, NULL, 8) = 0 timer_create(CLOCK_MONOTONIC, {0x7f4b35be6830, SIGALRM, SIGEV_SIGNAL, {...}}, {0}) = 0 timer_settime(0, 0, {it_interval={0, 25000000}, it_value={0, 25000000}}, NULL) = 0 futex(0x7f4b341de790, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f4b341de9a8, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f4b341de890, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=463, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=463, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b33ed5000 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 463 lseek(4, -269, SEEK_CUR) = 194 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 269 close(4) = 0 munmap(0x7f4b33ed5000, 4096) = 0 sendto(3, "<29>Mar 4 15:11:46 ovs-vsctl: o"..., 90, MSG_NOSIGNAL, NULL, 0) = 90 socket(PF_LOCAL, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/openvswitch/db.sock"}, 31) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) pipe([5, 6]) = 0 fcntl(5, F_GETFL) = 0 (flags O_RDONLY) fcntl(5, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 fcntl(6, F_GETFL) = 0x1 (flags O_WRONLY) fcntl(6, F_SETFL, O_WRONLY|O_NONBLOCK) = 0 rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGTERM, {0x7f4b33f2a270, [TERM], SA_RESTORER|SA_RESTART, 0x7f4b32bb4a00}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGINT, {0x7f4b33f2a270, [INT], SA_RESTORER|SA_RESTART, 0x7f4b32bb4a00}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGHUP, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGHUP, {0x7f4b33f2a270, [HUP], SA_RESTORER|SA_RESTART, 0x7f4b32bb4a00}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGALRM, NULL, {0x7f4b33f06f00, [], SA_RESTORER|SA_RESTART, 0x7f4b33459130}, 8) = 0 poll([{fd=4, events=POLLOUT}, {fd=5, events=POLLIN}], 2, 0) = 1 ([{fd=4, revents=POLLOUT}]) futex(0x7f4b341de780, FUTEX_WAKE_PRIVATE, 2147483647) = 0 getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 0}, ru_stime={0, 16428}, ...}) = 0 write(4, "{\"method\":\"monitor\",\"id\":0,\"para"..., 294) = 294 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}], 2, 2147483647) = 1 ([{fd=4, revents=POLLIN}]) getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 0}, ru_stime={0, 16601}, ...}) = 0 read(4, "{\"id\":0,\"result\":{\"Port\":{\"c457e"..., 512) = 512 read(4, ",\"Bridge\":{\"d3986fe9-dda3-4715-b"..., 512) = 512 read(4, "6b99f5\":{\"new\":{\"name\":\"ovs0\"}},"..., 512) = 305 read(4, 0x7f4b35beb141, 207) = -1 EAGAIN (Resource temporarily unavailable) open("/dev/urandom", O_RDONLY) = 7 read(7, "\0\361B\327\274]^\t\252\233_\224\201\324\362\3", 16) = 16 close(7) = 0 getppid() = 21569 getuid() = 0 getgid() = 0 open("/dev/urandom", O_RDONLY) = 7 read(7, "\371~\213\177 \247\354\241\375\3254X\"\307\345\253", 16) = 16 close(7) = 0 futex(0x7f4b341de8c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 write(4, "{\"method\":\"transact\",\"id\":1,\"par"..., 2424) = 2424 read(4, 0x7f4b35beb141, 207) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}], 2, 2147483647) = 1 ([{fd=4, revents=POLLIN}]) getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 2537}, ru_stime={0, 16601}, ...}) = 0 read(4, "{\"method\":\"update\",\"id\":null,\"pa"..., 207) = 207 read(4, ",[]]}}},\"Bridge\":{\"b18857da-2d92"..., 512) = 512 read(4, ",{},{},{},{},{},{\"count\":1},{\"uu"..., 512) = 198 read(4, 0x7f4b35beb0d6, 314) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0 (Timeout) getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 2537}, ru_stime={0, 16601}, ...}) = 0 read(4, 0x7f4b35beb0d6, 314) = -1 EAGAIN (Resource temporarily unavailable) poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}], 2, 2147483647) = 1 ([{fd=4, revents=POLLIN}]) getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 2537}, ru_stime={0, 16601}, ...}) = 0 read(4, "{\"method\":\"update\",\"id\":null,\"pa"..., 314) = 263 read(4, 0x7f4b35beb1dd, 51) = -1 EAGAIN (Resource temporarily unavailable) close(4) = 0 exit_group(0) = ? +++ exited with 0 +++ From above found that the system call 'getrusage' is not included in seccomp_whitelist of /usr/src/debug/qemu-1.5.3/qemu-seccomp.c by default .