On 20/07/2018 - 17:44:25, Marc-André Lureau wrote: > The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS > action (https://github.com/seccomp/libseccomp/issues/96). > > SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the > offending process, rather than having the SIGSYS handler running. > > Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support, > as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still > prefer SCMP_ACT_TRAP. > > Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com> > --- > qemu-seccomp.c | 30 +++++++++++++++++++++++++++++- > 1 file changed, 29 insertions(+), 1 deletion(-) > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index b117a92559..505887d5af 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -20,6 +20,7 @@ > #include <sys/prctl.h> > #include <seccomp.h> > #include "sysemu/seccomp.h" > +#include <linux/seccomp.h> > > /* For some architectures (notably ARM) cacheflush is not supported until > * libseccomp 2.2.3, but configure enforces that we are using a more recent > @@ -107,12 +108,39 @@ static const struct QemuSeccompSyscall blacklist[] = { > { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL }, > }; > > +static inline int > +qemu_seccomp(unsigned int operation, unsigned int flags, void *args) > +{ > +#ifdef __NR_seccomp > + return syscall(__NR_seccomp, operation, flags, args); > +#else > + return -1; > +#endif > +} > + > +static uint32_t qemu_seccomp_get_kill_action(void) > +{ > +#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \ > + defined(SECCOMP_RET_KILL_PROCESS) > + { > + uint32_t action = SECCOMP_RET_KILL_PROCESS; > + > + if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { > + return SCMP_ACT_KILL_PROCESS; > + } > + } > +#endif > + > + return SCMP_ACT_TRAP; > +} > + > > static int seccomp_start(uint32_t seccomp_opts) > { > int rc = 0; > unsigned int i = 0; > scmp_filter_ctx ctx; > + uint32_t action = qemu_seccomp_get_kill_action(); > > ctx = seccomp_init(SCMP_ACT_ALLOW); > if (ctx == NULL) { > @@ -125,7 +153,7 @@ static int seccomp_start(uint32_t seccomp_opts) > continue; > } > > - rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num, > + rc = seccomp_rule_add_array(ctx, action, blacklist[i].num, > blacklist[i].narg, blacklist[i].arg_cmp); > if (rc < 0) { > goto seccomp_return; > -- > 2.18.0.232.gb7bd9486b0 >
Acked-by: Eduardo Otubo <ot...@redhat.com> -- Eduardo Otubo
signature.asc
Description: PGP signature