Re: [Qemu-devel] seccomp missing calls in 2.7.0?
On Mon, Sep 19, 2016 at 11=45=47AM +0200, Markus Armbruster wrote: > Brian Rak writes: > > > getrusage is used in a number of places throughout the qemu codebase > > (notably, in crypto/pbkdf.c). > > Without this syscall being whitelisted, qemu ends up getting killed by > > the kernel whenever you > > try to connect to a VNC console. > > The body of the commit message now looks good to me, but the headline is > still off. It should be something like "seccomp: Add getrusage() to > whitelist". > > Perhaps Eduardo is willing to touch it up on commit. If not, you need > to resend your patch as a top-level message (not in reply to anything) > with the subject fixed. Please consider using git-send-email. Thanks! > > http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches Yep, that's not a problem now. I'll fix that. But yeah, please stick to the guidelines next time :) Regards, -- Eduardo Otubo ProfitBricks GmbH signature.asc Description: PGP signature
Re: [Qemu-devel] seccomp missing calls in 2.7.0?
Brian Rak writes: > getrusage is used in a number of places throughout the qemu codebase > (notably, in crypto/pbkdf.c). > Without this syscall being whitelisted, qemu ends up getting killed by > the kernel whenever you > try to connect to a VNC console. The body of the commit message now looks good to me, but the headline is still off. It should be something like "seccomp: Add getrusage() to whitelist". Perhaps Eduardo is willing to touch it up on commit. If not, you need to resend your patch as a top-level message (not in reply to anything) with the subject fixed. Please consider using git-send-email. Thanks! http://wiki.qemu.org/Contribute/SubmitAPatch#Submitting_your_Patches
Re: [Qemu-devel] seccomp missing calls in 2.7.0?
getrusage is used in a number of places throughout the qemu codebase
(notably, in crypto/pbkdf.c).
Without this syscall being whitelisted, qemu ends up getting killed by
the kernel whenever you
try to connect to a VNC console.
---
qemu-seccomp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index cb569dc..df75d9c 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -65,6 +65,7 @@ static const struct QemuSeccompSyscall
seccomp_whitelist[] = {
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
{ SCMP_SYS(getrlimit), 245 },
+{ SCMP_SYS(getrusage), 245 },
{ SCMP_SYS(set_tid_address), 245 },
{ SCMP_SYS(statfs), 245 },
{ SCMP_SYS(unlink), 245 },
--
2.8.2
On 9/13/2016 4:12 AM, Eduardo Otubo wrote:
On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak wrote:
--- src_clean/qemu-seccomp.c2016-09-02 11:34:22.0 -0400
+++ src/qemu-seccomp.c2016-09-06 11:28:23.189162653 -0400
@@ -65,6 +65,7 @@
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
{ SCMP_SYS(getrlimit), 245 },
+{ SCMP_SYS(getrusage), 245 },
{ SCMP_SYS(set_tid_address), 245 },
{ SCMP_SYS(statfs), 245 },
{ SCMP_SYS(unlink), 245 },
Hi,
Care to send a proper commit message, stating the use case, issues, etc?
Thanks,
On 9/6/2016 12:43 PM, Eduardo Otubo wrote:
This feature is enabled by default in virt-test/avocado and yes lots of
people use it.
Please send a patch and I'll merge it.
On Tue, Sep 6, 2016, 18:41 Brian Rak wrote:
I've been testing out 2.7.0 with seccomp support. Whenever I connect to
the VNC console, the process gets killed by the kernel. dmesg shows:
audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
sig=31 arch=c03e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
syscall 98 appears to be getrusage, which does not appear in
qemu-seccomp.c.
Is seccomp a supported feature these days? I'm guessing it does not get
a whole lot of use.
Re: [Qemu-devel] seccomp missing calls in 2.7.0?
On Wed, Sep 7, 2016 at 9:55 PM, Brian Rak wrote:
> --- src_clean/qemu-seccomp.c2016-09-02 11:34:22.0 -0400
> +++ src/qemu-seccomp.c2016-09-06 11:28:23.189162653 -0400
> @@ -65,6 +65,7 @@
> { SCMP_SYS(prctl), 245 },
> { SCMP_SYS(signalfd), 245 },
> { SCMP_SYS(getrlimit), 245 },
> +{ SCMP_SYS(getrusage), 245 },
> { SCMP_SYS(set_tid_address), 245 },
> { SCMP_SYS(statfs), 245 },
> { SCMP_SYS(unlink), 245 },
Hi,
Care to send a proper commit message, stating the use case, issues, etc?
Thanks,
>
>
> On 9/6/2016 12:43 PM, Eduardo Otubo wrote:
>
> This feature is enabled by default in virt-test/avocado and yes lots of
> people use it.
>
> Please send a patch and I'll merge it.
>
>
> On Tue, Sep 6, 2016, 18:41 Brian Rak wrote:
>>
>> I've been testing out 2.7.0 with seccomp support. Whenever I connect to
>> the VNC console, the process gets killed by the kernel. dmesg shows:
>>
>> audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
>> ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
>> sig=31 arch=c03e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
>>
>> syscall 98 appears to be getrusage, which does not appear in
>> qemu-seccomp.c.
>>
>> Is seccomp a supported feature these days? I'm guessing it does not get
>> a whole lot of use.
>>
>>
>
--
Eduardo Otubo
ProfitBricks
Re: [Qemu-devel] seccomp missing calls in 2.7.0?
--- src_clean/qemu-seccomp.c2016-09-02 11:34:22.0 -0400
+++ src/qemu-seccomp.c2016-09-06 11:28:23.189162653 -0400
@@ -65,6 +65,7 @@
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
{ SCMP_SYS(getrlimit), 245 },
+{ SCMP_SYS(getrusage), 245 },
{ SCMP_SYS(set_tid_address), 245 },
{ SCMP_SYS(statfs), 245 },
{ SCMP_SYS(unlink), 245 },
On 9/6/2016 12:43 PM, Eduardo Otubo wrote:
This feature is enabled by default in virt-test/avocado and yes lots
of people use it.
Please send a patch and I'll merge it.
On Tue, Sep 6, 2016, 18:41 Brian Rak > wrote:
I've been testing out 2.7.0 with seccomp support. Whenever I
connect to
the VNC console, the process gets killed by the kernel. dmesg shows:
audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107
ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64"
sig=31 arch=c03e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0
syscall 98 appears to be getrusage, which does not appear in
qemu-seccomp.c.
Is seccomp a supported feature these days? I'm guessing it does
not get
a whole lot of use.
Re: [Qemu-devel] seccomp missing calls in 2.7.0?
This feature is enabled by default in virt-test/avocado and yes lots of people use it. Please send a patch and I'll merge it. On Tue, Sep 6, 2016, 18:41 Brian Rak wrote: > I've been testing out 2.7.0 with seccomp support. Whenever I connect to > the VNC console, the process gets killed by the kernel. dmesg shows: > > audit: type=1326 audit(1473175350.674:2): auid=0 uid=107 gid=107 > ses=423110 pid=32202 comm="qemu-kvm" exe="/bin/qemu-system-x86_64" > sig=31 arch=c03e syscall=98 compat=0 ip=0x7f2beba83477 code=0x0 > > syscall 98 appears to be getrusage, which does not appear in > qemu-seccomp.c. > > Is seccomp a supported feature these days? I'm guessing it does not get > a whole lot of use. > > >
