| Message ID | f526ac72-1864-3f35-666d-bce4d93d15e5@gameservers.com |
|---|---|
| State | New |
| Headers | show |
Brian Rak <brak@gameservers.com> writes: > getrusage is used in a number of places throughout the qemu codebase > (notably, in crypto/pbkdf.c). > Without this syscall being whitelisted, qemu ends up getting killed by > the kernel whenever you > try to connect to a VNC console. The body of the commit message now looks good to me, but the headline is still off. It should be something like "seccomp: Add getrusage() to whitelist". Perhaps Eduardo is willing to touch it up on commit. If not, you need to resend your patch as a top-level message (not in reply to anything) with the subject fixed. Please consider using git-send-email. Thanks! http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches
On Mon, Sep 19, 2016 at 11=45=47AM +0200, Markus Armbruster wrote: > Brian Rak <brak@gameservers.com> writes: > > > getrusage is used in a number of places throughout the qemu codebase > > (notably, in crypto/pbkdf.c). > > Without this syscall being whitelisted, qemu ends up getting killed by > > the kernel whenever you > > try to connect to a VNC console. > > The body of the commit message now looks good to me, but the headline is > still off. It should be something like "seccomp: Add getrusage() to > whitelist". > > Perhaps Eduardo is willing to touch it up on commit. If not, you need > to resend your patch as a top-level message (not in reply to anything) > with the subject fixed. Please consider using git-send-email. Thanks! > > http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches Yep, that's not a problem now. I'll fix that. But yeah, please stick to the guidelines next time :) Regards,
diff --git a/qemu-seccomp.c b/qemu-seccomp.c index cb569dc..df75d9c 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -65,6 +65,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { { SCMP_SYS(prctl), 245 }, { SCMP_SYS(signalfd), 245 }, { SCMP_SYS(getrlimit), 245 }, + { SCMP_SYS(getrusage), 245 }, { SCMP_SYS(set_tid_address), 245 }, { SCMP_SYS(statfs), 245 },
getrusage is used in a number of places throughout the qemu codebase (notably, in crypto/pbkdf.c). Without this syscall being whitelisted, qemu ends up getting killed by the kernel whenever you try to connect to a VNC console. --- qemu-seccomp.c | 1 + 1 file changed, 1 insertion(+) { SCMP_SYS(unlink), 245 }, -- 2.8.2 On 9/13/2016 4:12 AM, Eduardo Otubo wrote: > On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak <brak@gameservers.com> wrote: >> --- src_clean/qemu-seccomp.c 2016-09-02 11:34:22.000000000 -0400 >> +++ src/qemu-seccomp.c 2016-09-06 11:28:23.189162653 -0400 >> @@ -65,6 +65,7 @@ >> { SCMP_SYS(prctl), 245 }, >> { SCMP_SYS(signalfd), 245 }, >> { SCMP_SYS(getrlimit), 245 }, >> + { SCMP_SYS(getrusage), 245 }, >> { SCMP_SYS(set_tid_address), 245 }, >> { SCMP_SYS(statfs), 245 }, >> { SCMP_SYS(unlink), 245 }, > Hi, > > Care to send a proper commit message, stating the use case, issues, etc? > > Thanks, > >> >> On 9/6/2016 12:43 PM, Eduardo Otubo wrote: >> >> This feature is enabled by default in virt-test/avocado and yes lots of >> people use it. >> >> Please send a patch and I'll merge it. >> >> >> On Tue, Sep 6, 2016, 18:41 Brian Rak <brak@gameservers.com> wrote: >>> I've been testing out 2.7.0 with seccomp support. Whenever I connect to >>> the VNC console, the process gets killed by the kernel. dmesg shows: >>> >>> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107 >>> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64" >>> sig=31 arch=c000003e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0 >>> >>> syscall 98 appears to be getrusage, which does not appear in >>> qemu-seccomp.c. >>> >>> Is seccomp a supported feature these days? I'm guessing it does not get >>> a whole lot of use. >>> >>> > >