[pve-qemu.git] / debian / patches / extra / 0001-seccomp-use-SIGSYS-signal-instead-of-killing-the-thr.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Wed, 22 Aug 2018 19:02:47 +0200
Subject: [PATCH] seccomp: use SIGSYS signal instead of killing the thread
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The seccomp action SCMP_ACT_KILL results in immediate termination of
the thread that made the bad system call. However, qemu being
multi-threaded, it keeps running. There is no easy way for parent
process / management layer (libvirt) to know about that situation.

Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP
will terminate the program and core dump.

This may not be the most secure solution, but probably better than
just killing the offending thread. SCMP_ACT_KILL_PROCESS has been
added in Linux 4.14 to improve the situation, which I propose to use
by default if available in the next patch.

Related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1594456

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
---
 qemu-seccomp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 9cd8eb9499..b117a92559 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -125,7 +125,7 @@ static int seccomp_start(uint32_t seccomp_opts)
             continue;
         }
 
-        rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
+        rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num,
                                     blacklist[i].narg, blacklist[i].arg_cmp);
         if (rc < 0) {
             goto seccomp_return;
-- 
2.11.0
Commit	Line	Data
53e83913 WB	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
	3	Date: Wed, 22 Aug 2018 19:02:47 +0200
	4	Subject: [PATCH] seccomp: use SIGSYS signal instead of killing the thread
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	The seccomp action SCMP_ACT_KILL results in immediate termination of
	10	the thread that made the bad system call. However, qemu being
	11	multi-threaded, it keeps running. There is no easy way for parent
	12	process / management layer (libvirt) to know about that situation.
	13
	14	Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP
	15	will terminate the program and core dump.
	16
	17	This may not be the most secure solution, but probably better than
	18	just killing the offending thread. SCMP_ACT_KILL_PROCESS has been
	19	added in Linux 4.14 to improve the situation, which I propose to use
	20	by default if available in the next patch.
	21
	22	Related to:
	23	https://bugzilla.redhat.com/show_bug.cgi?id=1594456
	24
	25	Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
	26	Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
	27	Acked-by: Eduardo Otubo <otubo@redhat.com>
	28	---
	29	qemu-seccomp.c \| 2 +-
	30	1 file changed, 1 insertion(+), 1 deletion(-)
	31
	32	diff --git a/qemu-seccomp.c b/qemu-seccomp.c
	33	index 9cd8eb9499..b117a92559 100644
	34	--- a/qemu-seccomp.c
	35	+++ b/qemu-seccomp.c
	36	@@ -125,7 +125,7 @@ static int seccomp_start(uint32_t seccomp_opts)
	37	continue;
	38	}
	39
	40	- rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
	41	+ rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num,
	42	blacklist[i].narg, blacklist[i].arg_cmp);
	43	if (rc < 0) {
	44	goto seccomp_return;
	45	--
	46	2.11.0
	47