| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From 9acf4c64dd4560bd268006d7356c7455fab7e5b1 Mon Sep 17 00:00:00 2001 |
| 2 | From: Changqing Li <changqing.li@windriver.com> |
| 3 | Date: Thu, 6 Sep 2018 14:52:12 +0800 |
| 4 | Subject: [PATCH] seccomp: set the seccomp filter to all threads |
| 5 | MIME-Version: 1.0 |
| 6 | Content-Type: text/plain; charset=UTF-8 |
| 7 | Content-Transfer-Encoding: 8bit |
| 8 | |
| 9 | When using "-seccomp on", the seccomp policy is only applied to the |
| 10 | main thread, the vcpu worker thread and other worker threads created |
| 11 | after seccomp policy is applied; the seccomp policy is not applied to |
| 12 | e.g. the RCU thread because it is created before the seccomp policy is |
| 13 | applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. |
| 14 | |
| 15 | This can be verified with |
| 16 | for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done |
| 17 | Seccomp: 2 |
| 18 | Seccomp: 0 |
| 19 | Seccomp: 0 |
| 20 | Seccomp: 2 |
| 21 | Seccomp: 2 |
| 22 | Seccomp: 2 |
| 23 | |
| 24 | Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use |
| 25 | seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy |
| 26 | on all threads. |
| 27 | |
| 28 | libseccomp requirement was bumped to 2.2.0 in previous patch. |
| 29 | libseccomp should fail to set the filter if it can't honour |
| 30 | SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on |
| 31 | kernel < 3.17. |
| 32 | |
| 33 | Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> |
| 34 | Acked-by: Eduardo Otubo <otubo@redhat.com> |
| 35 | |
| 36 | Upstream-Status: Backport[https://github.com/qemu/qemu/commit/ |
| 37 | 70dfabeaa79ba4d7a3b699abe1a047c8012db114#diff-18106d3b47a2d249f9d41e772b7db22d] |
| 38 | |
| 39 | CVE: CVE-2018-15746 |
| 40 | |
| 41 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| 42 | --- |
| 43 | qemu-seccomp.c | 5 +++++ |
| 44 | 1 file changed, 5 insertions(+) |
| 45 | |
| 46 | diff --git a/qemu-seccomp.c b/qemu-seccomp.c |
| 47 | index 9cd8eb9..ba5500a 100644 |
| 48 | --- a/qemu-seccomp.c |
| 49 | +++ b/qemu-seccomp.c |
| 50 | @@ -120,6 +120,11 @@ static int seccomp_start(uint32_t seccomp_opts) |
| 51 | goto seccomp_return; |
| 52 | } |
| 53 | |
| 54 | + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); |
| 55 | + if (rc != 0) { |
| 56 | + goto seccomp_return; |
| 57 | + } |
| 58 | + |
| 59 | for (i = 0; i < ARRAY_SIZE(blacklist); i++) { |
| 60 | if (!(seccomp_opts & blacklist[i].set)) { |
| 61 | continue; |
| 62 | -- |
| 63 | 2.7.4 |
| 64 | |