1800495 – Missing valgrind seccomp support causes qemu guest failed to boot up with “-sandbox=on”

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1800495 - Missing valgrind seccomp support causes qemu guest failed to boot up with “-sandbox=on”

Summary: Missing valgrind seccomp support causes qemu guest failed to boot up with “-s...

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	valgrind
Sub Component:
Version:	---
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	8.0
Assignee:	Mark Wielaard
QA Contact:	qe-baseos-tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-07 09:32 UTC by Yiqian Wei
Modified:	2021-09-17 14:55 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-19 10:01:18 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Yiqian Wei 2020-02-07 09:32:09 UTC

Description of problem:
Guest failed to boot up with valgrind tool and “-sandbox=on”

Version-Release number of selected component (if applicable):
host version:
qemu-kvm-4.2.0-8.module+el8.2.0+5607+dc756904.x86_64
kernel-4.18.0-175.el8.x86_64
seabios-1.13.0-1.module+el8.2.0+5520+4e5817f3.x86_64
valgrind-3.15.0-10.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1.start a guest with valgrind tool and "-sandbox=on"
cmd:  
valgrind  /usr/libexec/qemu-kvm -vnc :1 -monitor stdio  -m 384 -sandbox on

Actual results:Guest failed to boot up

# valgrind /usr/libexec/qemu-kvm -sandbox on -vnc :1 -monitor stdio  -m 384 
==32337== Memcheck, a memory error detector
==32337== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32337== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==32337== Command: /usr/libexec/qemu-kvm -sandbox on -vnc :1 -monitor stdio -m 384
==32337== 
--32337-- WARNING: unhandled amd64-linux syscall: 317
--32337-- You may be able to write your own handler.
--32337-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
--32337-- Nevertheless we consider this a bug.  Please report
--32337-- it at http://valgrind.org/support/bug_reports.html.
qemu-kvm: -sandbox on: There is no option group 'sandbox'
==32337== 
==32337== HEAP SUMMARY:
==32337==     in use at exit: 363,168 bytes in 3,021 blocks
==32337==   total heap usage: 4,096 allocs, 1,075 frees, 594,029 bytes allocated
==32337== 
==32337== LEAK SUMMARY:
==32337==    definitely lost: 0 bytes in 0 blocks
==32337==    indirectly lost: 0 bytes in 0 blocks
==32337==      possibly lost: 1,832 bytes in 19 blocks
==32337==    still reachable: 361,336 bytes in 3,002 blocks
==32337==                       of which reachable via heuristic:
==32337==                         newarray           : 1,536 bytes in 16 blocks
==32337==         suppressed: 0 bytes in 0 blocks
==32337== Rerun with --leak-check=full to see details of leaked memory
==32337== 
==32337== For lists of detected and suppressed errors, rerun with: -s
==32337== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


Expected results:
Guest can boot up with valgrind tool and "-sandbox=on"

Additional info:
1)with valgrind tool and "-sandbox=off",reproduce this bug.

Comment 1 Yiqian Wei 2020-02-07 10:18:54 UTC

1. didn't reproduce it only with "sandbox=on/off" 
2. it's not a regression issue since can reproduce it on "qemu-kvm-4.1.0-23.module+el8.1.1+5467+ba2d821b.x86_64" version

Comment 3 Dr. David Alan Gilbert 2020-02-12 09:27:08 UTC

The unhandled syscall is coming from valgrind and 317 is seccomp.

QEMU probes to see if it has seccomp and fails, so doesn't add the sandbox options which is why we get the error:

'qemu-kvm: -sandbox on: There is no option group 'sandbox''

so from QEMU's point of view this is just missing sandbox support.

So it looks like Valgrind is missing seccomp support.
I see an upstream valgrind bug; https://bugs.kde.org/show_bug.cgi?id=380183
But really this is a feature request for it.

I'll flip this to valgrind - NOT_A_QEMU_BUG.

Comment 4 Mark Wielaard 2020-02-12 09:49:16 UTC

seccomp is a little tricky for valgrind since valgrind itself might use system calls not used by the application running under valgrind (they share the same process and address space). And the arguments are also tricky to interpret since depending on operation and flags this might be an arbitrary BPF program. We could simply return ENOSYS for seccomp and not produce the error/warning message. But I assume that doesn't really help in this case.

Comment 5 Eduardo Habkost 2020-02-12 19:07:58 UTC

Marking as feature request, lowering priority and severity.

Comment 6 Mark Wielaard 2020-02-19 10:01:18 UTC

Marking this closed cantfix because it is not clear how to provide this feature. There is an upstream bug that has more discussion: https://bugs.kde.org/show_bug.cgi?id=345414

Please do reopen this bug if you really need this feature.

Note You need to log in before you can comment on or make changes to this bug.