From patchwork Wed Oct 24 15:39:02 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Corey Bryant X-Patchwork-Id: 193838 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 641F52C008A for ; Thu, 25 Oct 2012 02:41:10 +1100 (EST) Received: from localhost ([::1]:58667 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TR34u-0000mz-An for incoming@patchwork.ozlabs.org; Wed, 24 Oct 2012 11:41:08 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42746) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TR34f-0000Sf-Np for qemu-devel@nongnu.org; Wed, 24 Oct 2012 11:41:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TR34Z-0001mw-Mh for qemu-devel@nongnu.org; Wed, 24 Oct 2012 11:40:53 -0400 Received: from e8.ny.us.ibm.com ([32.97.182.138]:50575) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TR34Z-0001Es-Hk for qemu-devel@nongnu.org; Wed, 24 Oct 2012 11:40:47 -0400 Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 24 Oct 2012 11:39:47 -0400 Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 24 Oct 2012 11:39:30 -0400 Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 04A63C9007F for ; Wed, 24 Oct 2012 11:39:28 -0400 (EDT) Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216]) by d01relay02.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q9OFdRO7301104 for ; Wed, 24 Oct 2012 11:39:27 -0400 Received: from d01av02.pok.ibm.com (loopback [127.0.0.1]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q9OFdRId007689 for ; Wed, 24 Oct 2012 13:39:27 -0200 Received: from localhost.localdomain ([9.80.111.234]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q9OFdQ6j007567; Wed, 24 Oct 2012 13:39:26 -0200 Message-ID: <50880B96.20802@linux.vnet.ibm.com> Date: Wed, 24 Oct 2012 11:39:02 -0400 From: Corey Bryant User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121009 Thunderbird/16.0 MIME-Version: 1.0 To: Paolo Bonzini References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com> <1350479712-15082-4-git-send-email-otubo@linux.vnet.ibm.com> <50801D29.2080305@redhat.com> <5087F899.2030604@linux.vnet.ibm.com> <5088078B.3070002@redhat.com> In-Reply-To: <5088078B.3070002@redhat.com> X-Content-Scanned: Fidelis XPS MAILER x-cbid: 12102415-9360-0000-0000-00000C06322A X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 32.97.182.138 Cc: pmoore@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org, Eduardo Otubo Subject: Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org On 10/24/2012 11:21 AM, Paolo Bonzini wrote: > Il 24/10/2012 16:18, Corey Bryant ha scritto: >> >> >> On 10/18/2012 11:15 AM, Paolo Bonzini wrote: >>> Il 17/10/2012 15:15, Eduardo Otubo ha scritto: >>>> With the inclusion of the new "double whitelist" seccomp filter, Qemu >>>> won't be able to execve() in runtime, thus, no hotplug net devices >>>> allowed. >>>> >>>> Signed-off-by: Eduardo Otubo >>> >>> Please check this in net_init_tap instead. When using libvirt, hotplug >>> is done with a completely different mechanism that involves >>> file-descriptor passing and does not require executing a helper. >>> >>> Paolo >>> >> >> Are you sure net_init_tap() is the right place for this check? > > Yes, assuming there is a global that says whether the seccomp sandbox is > in effect. Even something like "if (sandbox_active && !tap->has_fd) > error(...)" can be enough. > > Paolo > What do you think about this? It moves the checks into the functions that actually cause execve() to be called, and it only prevents the commands after QEMU is done with initialization in main(). diff --git a/net/tap.c b/net/tap.c index df89caa..7a8a234 100644 --- a/net/tap.c +++ b/net/tap.c @@ -352,6 +352,14 @@ static int launch_script(const char *setup_script, const char *ifname, int fd) char *args[3]; char **parg; +#ifdef CONFIG_SECCOMP + if (!runstate_is_prelaunch()) { + error_report("Cannot execute network script from QEMU monitor " + "when -sandbox is in effect"); + return -1; + } +#endif + /* try to launch network script */ pid = fork(); if (pid == 0) { @@ -426,6 +434,14 @@ static int net_bridge_run_helper(const char *helper, const char *bridge) char **parg; int sv[2]; +#ifdef CONFIG_SECCOMP + if (!runstate_is_prelaunch()) { + error_report("Cannot execute network helper from QEMU monitor " + "when -sandbox is in effect"); + return -1; + } +#endif + sigemptyset(&mask); sigaddset(&mask, SIGCHLD); sigprocmask(SIG_BLOCK, &mask, &oldmask); diff --git a/sysemu.h b/sysemu.h index 0c39a3a..37d8c7d 100644 --- a/sysemu.h +++ b/sysemu.h @@ -23,6 +23,7 @@ void runstate_init(void); bool runstate_check(RunState state); void runstate_set(RunState new_state); int runstate_is_running(void); +int runstate_is_prelaunch(void); typedef struct vm_change_state_entry VMChangeStateEntry; typedef void VMChangeStateHandler(void *opaque, int running, RunState state); diff --git a/vl.c b/vl.c index c7e88ff..b19b9fa 100644 --- a/vl.c +++ b/vl.c @@ -432,6 +432,11 @@ int runstate_is_running(void) return runstate_check(RUN_STATE_RUNNING); } +int runstate_is_prelaunch(void) +{ + return runstate_check(RUN_STATE_PRELAUNCH); +} + StatusInfo *qmp_query_status(Error **errp) { StatusInfo *info = g_malloc0(sizeof(*info));