Bug 1752376 - qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available
Summary: qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: qemu-kvm
Version: 8.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Eduardo Otubo
QA Contact: yduan
URL:
Whiteboard:
Depends On:
Blocks: 1880546
TreeView+ depends on / blocked
 
Reported: 2019-09-16 08:23 UTC by Luyao Huang
Modified: 2020-11-17 17:45 UTC (History)
8 users (show)

Fixed In Version: qemu-kvm-5.1.0-8.module+el8.3.0+8141+3cd9cd43
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1880546 (view as bug list)
Environment:
Last Closed: 2020-11-17 17:45:34 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Luyao Huang 2019-09-16 08:23:55 UTC
Description of problem:
qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available

Version-Release number of selected component (if applicable):
qemu-kvm-4.1.0-9.module+el8.1.0+4210+23b2046a.x86_64

How reproducible:
100%

Steps to Reproduce:
1. use gdb to start a guest which enable seccomp and set breakpoint at qemu_seccomp_get_action:

# gdb /usr/libexec/qemu-kvm 
....
(gdb) br qemu_seccomp_get_action
Breakpoint 1 at 0x4502d4: file qemu-seccomp.c, line 171.
(gdb) r -sandbox on,obsolete=deny

2. check the qemu_seccomp_get_action return and qemu_seccomp return step by step
3.

Actual results:
qemu use SCMP_ACT_TRAP even SCMP_ACT_KILL_PROCESS is available

Expected results:
qemu prefer SCMP_ACT_KILL_PROCESS if available

Additional info:

Check the source code of qemu-kvm /qemu-seccomp.c

#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
    defined(SECCOMP_RET_KILL_PROCESS)
        static int kill_process = -1;
        if (kill_process == -1) {
            uint32_t action = SECCOMP_RET_KILL_PROCESS;

            if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
                kill_process = 1;
            }
            kill_process = 0;     <-- this cause qemu never use SCMP_ACT_KILL_PROCESS
        }
        if (kill_process == 1) {  
            return SCMP_ACT_KILL_PROCESS;    <-- dead code
        }
#endif
        return SCMP_ACT_TRAP;

Check the commit 9a1565a03 which changed this place logic and I didn't see any reason to force use SCMP_ACT_TRAP.

Comment 3 Ademar Reis 2020-02-05 23:06:17 UTC
QEMU has been recently split into sub-components and as a one-time operation to avoid breakage of tools, we are setting the QEMU sub-component of this BZ to "General". Please review and change the sub-component if necessary the next time you review this BZ. Thanks

Comment 4 John Ferlan 2020-09-11 12:02:33 UTC
Dan - looks like your commit 9a1565a03b made this alteration in logic - perhaps an else {} should have been used...

Comment 5 Daniel Berrangé 2020-09-11 16:05:41 UTC
Fix posted at https://lists.gnu.org/archive/html/qemu-devel/2020-09/msg04264.html

Comment 6 John Ferlan 2020-09-15 15:52:27 UTC
Can we get a qa_ack+ please?

Comment 12 yduan 2020-09-22 02:33:23 UTC
Reproduced with qemu-kvm-5.1.0-7.module+el8.3.0+8099+dba2fe3e.x86_64 and verified with qemu-kvm-5.1.0-8.module+el8.3.0+8141+3cd9cd43.x86_64.

The test step is described in comment 0.

commit e474e3aacf4276eb0781d11c45e2fab996f9dc56
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index e0a1829b3d..8325ecb766 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -136,8 +136,9 @@ static uint32_t qemu_seccomp_get_action(int set)
 
             if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
                 kill_process = 1;
+            } else {
+                kill_process = 0;
             }
-            kill_process = 0;
         }
         if (kill_process == 1) {
             return SCMP_ACT_KILL_PROCESS;

Comment 15 errata-xmlrpc 2020-11-17 17:45:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5137


Note You need to log in before you can comment on or make changes to this bug.