Message ID | 5093CF47.9030401@linux.vnet.ibm.com |
---|---|
State | New |
Headers | show |
On Friday, November 02, 2012 09:48:55 AM Corey Bryant wrote: > On 11/01/2012 05:43 PM, Paul Moore wrote: > > On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote: > >> According to the bug 855162[0] - there's the need of adding new syscalls > >> to the whitelist whenn using Qemu with Libvirt. > >> > >> [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162 > >> > >> v2: Adding new syscalls to the list: readlink, rt_sigpending, and > >> > >> rt_sigtimedwait > >> > >> Reported-by: Paul Moore <pmoore@redhat.com> > >> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> > >> --- > >> > >> qemu-seccomp.c | 13 ++++++++++++- > >> 1 file changed, 12 insertions(+), 1 deletion(-) > > > > I had an opportunity to test this patchset on a F17 machine using QEMU 1.2 > > and unfortunately it still fails. I'm using a relatively basic guest > > configuration running F16, the details are documented in the RH BZ that > > Eduardo mentioned in the patch description. > > Paul, Here's the latest diff for the whitelist. We're looking to get > the patches out in the next few days after a bit more testing. Okay, thanks for the updated list ... I'm rebuilding QEMU right now and I'll report back with the results later today.
On Friday, November 02, 2012 10:10:02 AM Paul Moore wrote: > On Friday, November 02, 2012 09:48:55 AM Corey Bryant wrote: > > On 11/01/2012 05:43 PM, Paul Moore wrote: > > > On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote: > > >> According to the bug 855162[0] - there's the need of adding new > > >> syscalls > > >> to the whitelist whenn using Qemu with Libvirt. > > >> > > >> [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162 > > >> > > >> v2: Adding new syscalls to the list: readlink, rt_sigpending, and > > >> > > >> rt_sigtimedwait > > >> > > >> Reported-by: Paul Moore <pmoore@redhat.com> > > >> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> > > >> --- > > >> > > >> qemu-seccomp.c | 13 ++++++++++++- > > >> 1 file changed, 12 insertions(+), 1 deletion(-) > > > > > > I had an opportunity to test this patchset on a F17 machine using QEMU > > > 1.2 > > > and unfortunately it still fails. I'm using a relatively basic guest > > > configuration running F16, the details are documented in the RH BZ that > > > Eduardo mentioned in the patch description. > > > > Paul, Here's the latest diff for the whitelist. We're looking to get > > the patches out in the next few days after a bit more testing. > > Okay, thanks for the updated list ... I'm rebuilding QEMU right now and I'll > report back with the results later today. Sadly, no luck, it still fails.
On 11/02/2012 10:38 AM, Paul Moore wrote: > On Friday, November 02, 2012 10:10:02 AM Paul Moore wrote: >> On Friday, November 02, 2012 09:48:55 AM Corey Bryant wrote: >>> On 11/01/2012 05:43 PM, Paul Moore wrote: >>>> On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote: >>>>> According to the bug 855162[0] - there's the need of adding new >>>>> syscalls >>>>> to the whitelist whenn using Qemu with Libvirt. >>>>> >>>>> [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162 >>>>> >>>>> v2: Adding new syscalls to the list: readlink, rt_sigpending, and >>>>> >>>>> rt_sigtimedwait >>>>> >>>>> Reported-by: Paul Moore <pmoore@redhat.com> >>>>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> >>>>> --- >>>>> >>>>> qemu-seccomp.c | 13 ++++++++++++- >>>>> 1 file changed, 12 insertions(+), 1 deletion(-) >>>> >>>> I had an opportunity to test this patchset on a F17 machine using QEMU >>>> 1.2 >>>> and unfortunately it still fails. I'm using a relatively basic guest >>>> configuration running F16, the details are documented in the RH BZ that >>>> Eduardo mentioned in the patch description. >>> >>> Paul, Here's the latest diff for the whitelist. We're looking to get >>> the patches out in the next few days after a bit more testing. >> >> Okay, thanks for the updated list ... I'm rebuilding QEMU right now and I'll >> report back with the results later today. > > Sadly, no luck, it still fails. > Hmm, let me send you the current patch set off-line, which includes debug support to write the failing syscall out. If you don't mind could you try it out?
On Friday, November 02, 2012 10:43:41 AM Corey Bryant wrote: > On 11/02/2012 10:38 AM, Paul Moore wrote: > > On Friday, November 02, 2012 10:10:02 AM Paul Moore wrote: > >> On Friday, November 02, 2012 09:48:55 AM Corey Bryant wrote: > >>> On 11/01/2012 05:43 PM, Paul Moore wrote: > >>>> On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote: > >>>>> According to the bug 855162[0] - there's the need of adding new > >>>>> syscalls > >>>>> to the whitelist whenn using Qemu with Libvirt. > >>>>> > >>>>> [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162 > >>>>> > >>>>> v2: Adding new syscalls to the list: readlink, rt_sigpending, and > >>>>> > >>>>> rt_sigtimedwait > >>>>> > >>>>> Reported-by: Paul Moore <pmoore@redhat.com> > >>>>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> > >>>>> --- > >>>>> > >>>>> qemu-seccomp.c | 13 ++++++++++++- > >>>>> 1 file changed, 12 insertions(+), 1 deletion(-) > >>>> > >>>> I had an opportunity to test this patchset on a F17 machine using QEMU > >>>> 1.2 > >>>> and unfortunately it still fails. I'm using a relatively basic guest > >>>> configuration running F16, the details are documented in the RH BZ that > >>>> Eduardo mentioned in the patch description. > >>> > >>> Paul, Here's the latest diff for the whitelist. We're looking to get > >>> the patches out in the next few days after a bit more testing. > >> > >> Okay, thanks for the updated list ... I'm rebuilding QEMU right now and > >> I'll report back with the results later today. > > > > Sadly, no luck, it still fails. > > Hmm, let me send you the current patch set off-line, which includes > debug support to write the failing syscall out. If you don't mind could > you try it out? Sure, no problem. On a related note, I think it would be a *really* good idea to also submit the debug code upstream, just in a disabled state by default. You could either bracket it with #ifdefs or get fancy and allow it at runtime with '-sandbox debug' or something similar.
On 11/02/2012 10:46 AM, Paul Moore wrote: > On Friday, November 02, 2012 10:43:41 AM Corey Bryant wrote: >> On 11/02/2012 10:38 AM, Paul Moore wrote: >>> On Friday, November 02, 2012 10:10:02 AM Paul Moore wrote: >>>> On Friday, November 02, 2012 09:48:55 AM Corey Bryant wrote: >>>>> On 11/01/2012 05:43 PM, Paul Moore wrote: >>>>>> On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote: >>>>>>> According to the bug 855162[0] - there's the need of adding new >>>>>>> syscalls >>>>>>> to the whitelist whenn using Qemu with Libvirt. >>>>>>> >>>>>>> [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162 >>>>>>> >>>>>>> v2: Adding new syscalls to the list: readlink, rt_sigpending, and >>>>>>> >>>>>>> rt_sigtimedwait >>>>>>> >>>>>>> Reported-by: Paul Moore <pmoore@redhat.com> >>>>>>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> >>>>>>> --- >>>>>>> >>>>>>> qemu-seccomp.c | 13 ++++++++++++- >>>>>>> 1 file changed, 12 insertions(+), 1 deletion(-) >>>>>> >>>>>> I had an opportunity to test this patchset on a F17 machine using QEMU >>>>>> 1.2 >>>>>> and unfortunately it still fails. I'm using a relatively basic guest >>>>>> configuration running F16, the details are documented in the RH BZ that >>>>>> Eduardo mentioned in the patch description. >>>>> >>>>> Paul, Here's the latest diff for the whitelist. We're looking to get >>>>> the patches out in the next few days after a bit more testing. >>>> >>>> Okay, thanks for the updated list ... I'm rebuilding QEMU right now and >>>> I'll report back with the results later today. >>> >>> Sadly, no luck, it still fails. >> >> Hmm, let me send you the current patch set off-line, which includes >> debug support to write the failing syscall out. If you don't mind could >> you try it out? > > Sure, no problem. > > On a related note, I think it would be a *really* good idea to also submit the > debug code upstream, just in a disabled state by default. You could either > bracket it with #ifdefs or get fancy and allow it at runtime with '-sandbox > debug' or something similar. > I agree. That's the plan with the v3 patch series. We'll get them out in the next few days.
diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 64329a3..81aaf74 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -45,6 +45,12 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { { SCMP_SYS(access), 245 }, { SCMP_SYS(prctl), 245 }, { SCMP_SYS(signalfd), 245 }, + { SCMP_SYS(getrlimit), 245 }, + { SCMP_SYS(set_tid_address), 245 }, + { SCMP_SYS(socketpair), 245 }, + { SCMP_SYS(statfs), 245 }, + { SCMP_SYS(unlink), 245 }, + { SCMP_SYS(wait4), 245 }, #if defined(__i386__) { SCMP_SYS(fcntl64), 245 },