seccomp: check TSYNC host capability

Remove -sandbox option if the host is not capable of TSYNC, since the
sandbox will fail at setup time otherwise. This will help libvirt, for
ex, to figure out if -sandbox will work.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 qemu-seccomp.c | 19 ++++++++++++++++++-
 vl.c           |  4 ++--
 2 files changed, 20 insertions(+), 3 deletions(-)

On 30/08/2018 - 16:33:48, Marc-André Lureau wrote:
> Remove -sandbox option if the host is not capable of TSYNC, since the
> sandbox will fail at setup time otherwise. This will help libvirt, for
> ex, to figure out if -sandbox will work.
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
>  qemu-seccomp.c | 19 ++++++++++++++++++-
>  vl.c           |  4 ++--
>  2 files changed, 20 insertions(+), 3 deletions(-)
> 
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 4729eb107f..1baa5c69ed 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -282,7 +282,24 @@ static QemuOptsList qemu_sandbox_opts = {
>  
>  static void seccomp_register(void)
>  {
> -    qemu_add_opts(&qemu_sandbox_opts);
> +    bool add = false;
> +
> +    /* FIXME: use seccomp_api_get() >= 2 check when released */
> +
> +#if defined(SECCOMP_FILTER_FLAG_TSYNC)
> +    int check;
> +
> +    /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */
> +    check = qemu_seccomp(SECCOMP_SET_MODE_FILTER,
> +                         SECCOMP_FILTER_FLAG_TSYNC, NULL);
> +    if (check < 0 && errno == EFAULT) {
> +        add = true;
> +    }
> +#endif
> +
> +    if (add) {
> +        qemu_add_opts(&qemu_sandbox_opts);
> +    }
>  }
>  opts_init(seccomp_register);
>  #endif
> diff --git a/vl.c b/vl.c
> index 408bff9c1e..70c2449b86 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -4007,8 +4007,8 @@ int main(int argc, char **argv, char **envp)
>      }
>  
>  #ifdef CONFIG_SECCOMP
> -    if (qemu_opts_foreach(qemu_find_opts("sandbox"),
> -                          parse_sandbox, NULL, NULL)) {
> +    olist = qemu_find_opts_err("sandbox", NULL);
> +    if (olist && qemu_opts_foreach(olist, parse_sandbox, NULL, NULL)) {
>          exit(1);
>      }
>  #endif
> -- 
> 2.19.0.rc0.48.gb9dfa238d5
> 
Acked-by: Eduardo Otubo <otubo@redhat.com>

On Thu, Aug 30, 2018 at 04:33:48PM +0200, Marc-André Lureau wrote:
> Remove -sandbox option if the host is not capable of TSYNC, since the
> sandbox will fail at setup time otherwise. This will help libvirt, for
> ex, to figure out if -sandbox will work.
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

This seems to have introduced a regression, which I found when
preparing a ppc pull request.  Specifically when running with RHEL7 on
a POWER host, using "-sandbox off" which one of my tests did, causes a
cryptic error followed by a SEGV:

$ ./ppc64-softmmu/qemu-system-ppc64 -sandbox off
qemu-system-ppc64: -sandbox off: There is no option group 'sandbox'
Segmentation fault
$ ./x86_64-softmmu/qemu-system-x86_64 -sandbox off
qemu-system-x86_64: -sandbox off: There is no option group 'sandbox'
Segmentation fault

I think the problem is that while this wrapped one use of the sandbox
option group to produce a sensible error, it didn't do the same for
another call to qemu_opts_parse_noisily():

(gdb) bt
#0  0x00000000105b36d8 in opts_parse (list=0x0, params=0x3ffffffffab5 "off", permit_abbrev=true, defaults=false, errp=0x3ffffffff080)
    at util/qemu-option.c:829
#1  0x00000000105b3b74 in qemu_opts_parse_noisily (list=<optimized out>, params=<optimized out>, permit_abbrev=<optimized out>) at util/qemu-option.c:890
#2  0x0000000010024964 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:3589

I'm guessing RHEL7 triggers it because that has a version of
libseccomp that doesn't support the feature needed to complete
registration (maybe on ppc host only; I haven't had a chance to try on
an x86 RHEL7 host).

On 13/12/2018 04.24, David Gibson wrote:
> On Thu, Aug 30, 2018 at 04:33:48PM +0200, Marc-André Lureau wrote:
>> Remove -sandbox option if the host is not capable of TSYNC, since the
>> sandbox will fail at setup time otherwise. This will help libvirt, for
>> ex, to figure out if -sandbox will work.
>>
>> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
> This seems to have introduced a regression, which I found when
> preparing a ppc pull request.  Specifically when running with RHEL7 on
> a POWER host, using "-sandbox off" which one of my tests did, causes a
> cryptic error followed by a SEGV:
> 
> $ ./ppc64-softmmu/qemu-system-ppc64 -sandbox off
> qemu-system-ppc64: -sandbox off: There is no option group 'sandbox'
> Segmentation fault
> $ ./x86_64-softmmu/qemu-system-x86_64 -sandbox off
> qemu-system-x86_64: -sandbox off: There is no option group 'sandbox'
> Segmentation fault
> 
> I think the problem is that while this wrapped one use of the sandbox
> option group to produce a sensible error, it didn't do the same for
> another call to qemu_opts_parse_noisily():
> 
> (gdb) bt
> #0  0x00000000105b36d8 in opts_parse (list=0x0, params=0x3ffffffffab5 "off", permit_abbrev=true, defaults=false, errp=0x3ffffffff080)
>     at util/qemu-option.c:829
> #1  0x00000000105b3b74 in qemu_opts_parse_noisily (list=<optimized out>, params=<optimized out>, permit_abbrev=<optimized out>) at util/qemu-option.c:890
> #2  0x0000000010024964 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:3589
> 
> I'm guessing RHEL7 triggers it because that has a version of
> libseccomp that doesn't support the feature needed to complete
> registration (maybe on ppc host only; I haven't had a chance to try on
> an x86 RHEL7 host).

Andrea reported the same issue again today with QEMU v4.0 ...
Marc-André, have you ever had another look into this issue?

 Thomas

Hi

On Mon, Apr 29, 2019 at 3:22 PM Thomas Huth <thuth@redhat.com> wrote:
>
> On 13/12/2018 04.24, David Gibson wrote:
> > On Thu, Aug 30, 2018 at 04:33:48PM +0200, Marc-André Lureau wrote:
> >> Remove -sandbox option if the host is not capable of TSYNC, since the
> >> sandbox will fail at setup time otherwise. This will help libvirt, for
> >> ex, to figure out if -sandbox will work.
> >>
> >> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> >
> > This seems to have introduced a regression, which I found when
> > preparing a ppc pull request.  Specifically when running with RHEL7 on
> > a POWER host, using "-sandbox off" which one of my tests did, causes a
> > cryptic error followed by a SEGV:
> >
> > $ ./ppc64-softmmu/qemu-system-ppc64 -sandbox off
> > qemu-system-ppc64: -sandbox off: There is no option group 'sandbox'
> > Segmentation fault
> > $ ./x86_64-softmmu/qemu-system-x86_64 -sandbox off
> > qemu-system-x86_64: -sandbox off: There is no option group 'sandbox'
> > Segmentation fault
> >
> > I think the problem is that while this wrapped one use of the sandbox
> > option group to produce a sensible error, it didn't do the same for
> > another call to qemu_opts_parse_noisily():
> >
> > (gdb) bt
> > #0  0x00000000105b36d8 in opts_parse (list=0x0, params=0x3ffffffffab5 "off", permit_abbrev=true, defaults=false, errp=0x3ffffffff080)
> >     at util/qemu-option.c:829
> > #1  0x00000000105b3b74 in qemu_opts_parse_noisily (list=<optimized out>, params=<optimized out>, permit_abbrev=<optimized out>) at util/qemu-option.c:890
> > #2  0x0000000010024964 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:3589
> >
> > I'm guessing RHEL7 triggers it because that has a version of
> > libseccomp that doesn't support the feature needed to complete
> > registration (maybe on ppc host only; I haven't had a chance to try on
> > an x86 RHEL7 host).
>
> Andrea reported the same issue again today with QEMU v4.0 ...
> Marc-André, have you ever had another look into this issue?

Sorry, I thought this was already fixed and I forgot about it.

I just sent "[PATCH] vl: fix -sandbox parsing crash when seccomp
support is disabled".

thanks