| From 9acf4c64dd4560bd268006d7356c7455fab7e5b1 Mon Sep 17 00:00:00 2001 |
| From: Changqing Li <changqing.li@windriver.com> |
| Date: Thu, 6 Sep 2018 14:52:12 +0800 |
| Subject: [PATCH] seccomp: set the seccomp filter to all threads |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| When using "-seccomp on", the seccomp policy is only applied to the |
| main thread, the vcpu worker thread and other worker threads created |
| after seccomp policy is applied; the seccomp policy is not applied to |
| e.g. the RCU thread because it is created before the seccomp policy is |
| applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. |
| |
| This can be verified with |
| for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done |
| Seccomp: 2 |
| Seccomp: 0 |
| Seccomp: 0 |
| Seccomp: 2 |
| Seccomp: 2 |
| Seccomp: 2 |
| |
| Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use |
| seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy |
| on all threads. |
| |
| libseccomp requirement was bumped to 2.2.0 in previous patch. |
| libseccomp should fail to set the filter if it can't honour |
| SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on |
| kernel < 3.17. |
| |
| Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> |
| Acked-by: Eduardo Otubo <otubo@redhat.com> |
| |
| Upstream-Status: Backport[https://github.com/qemu/qemu/commit/ |
| 70dfabeaa79ba4d7a3b699abe1a047c8012db114#diff-18106d3b47a2d249f9d41e772b7db22d] |
| |
| CVE: CVE-2018-15746 |
| |
| Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| --- |
| qemu-seccomp.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| diff --git a/qemu-seccomp.c b/qemu-seccomp.c |
| index 9cd8eb9..ba5500a 100644 |
| --- a/qemu-seccomp.c |
| +++ b/qemu-seccomp.c |
| @@ -120,6 +120,11 @@ static int seccomp_start(uint32_t seccomp_opts) |
| goto seccomp_return; |
| } |
| |
| + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); |
| + if (rc != 0) { |
| + goto seccomp_return; |
| + } |
| + |
| for (i = 0; i < ARRAY_SIZE(blacklist); i++) { |
| if (!(seccomp_opts & blacklist[i].set)) { |
| continue; |
| -- |
| 2.7.4 |
| |