X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=qemu-seccomp.c;h=e0a1829b3ddc9732f357179b9c23ce4b48703efb;hb=79b9d4bde7db3f760851217b329c68a883184c6b;hp=4729eb107f8ff169a1011dd96264fd2d82910e46;hpb=235c82acca0491465e94be3cae2583b42d37c859;p=mirror_qemu.git diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 4729eb107f..e0a1829b3d 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -12,11 +12,12 @@ * Contributions after 2012-01-13 are licensed under the terms of the * GNU GPL, version 2 or (at your option) any later version. */ + #include "qemu/osdep.h" +#include "qapi/error.h" #include "qemu/config-file.h" #include "qemu/option.h" #include "qemu/module.h" -#include "qemu/error-report.h" #include #include #include "sysemu/seccomp.h" @@ -40,7 +41,8 @@ struct QemuSeccompSyscall { }; const struct scmp_arg_cmp sched_setscheduler_arg[] = { - SCMP_A1(SCMP_CMP_NE, SCHED_IDLE) + /* was SCMP_A1(SCMP_CMP_NE, SCHED_IDLE), but expanded due to GCC 4.x bug */ + { .arg = 1, .op = SCMP_CMP_NE, .datum_a = SCHED_IDLE } }; static const struct QemuSeccompSyscall blacklist[] = { @@ -119,58 +121,84 @@ qemu_seccomp(unsigned int operation, unsigned int flags, void *args) #endif } -static uint32_t qemu_seccomp_get_kill_action(void) +static uint32_t qemu_seccomp_get_action(int set) { + switch (set) { + case QEMU_SECCOMP_SET_DEFAULT: + case QEMU_SECCOMP_SET_OBSOLETE: + case QEMU_SECCOMP_SET_PRIVILEGED: + case QEMU_SECCOMP_SET_SPAWN: { #if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \ defined(SECCOMP_RET_KILL_PROCESS) - { - uint32_t action = SECCOMP_RET_KILL_PROCESS; + static int kill_process = -1; + if (kill_process == -1) { + uint32_t action = SECCOMP_RET_KILL_PROCESS; - if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { + if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { + kill_process = 1; + } + kill_process = 0; + } + if (kill_process == 1) { return SCMP_ACT_KILL_PROCESS; } - } #endif + return SCMP_ACT_TRAP; + } + + case QEMU_SECCOMP_SET_RESOURCECTL: + return SCMP_ACT_ERRNO(EPERM); - return SCMP_ACT_TRAP; + default: + g_assert_not_reached(); + } } -static int seccomp_start(uint32_t seccomp_opts) +static int seccomp_start(uint32_t seccomp_opts, Error **errp) { - int rc = 0; + int rc = -1; unsigned int i = 0; scmp_filter_ctx ctx; - uint32_t action = qemu_seccomp_get_kill_action(); ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) { - rc = -1; + error_setg(errp, "failed to initialize seccomp context"); goto seccomp_return; } rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); if (rc != 0) { + error_setg_errno(errp, -rc, + "failed to set seccomp thread synchronization"); goto seccomp_return; } for (i = 0; i < ARRAY_SIZE(blacklist); i++) { + uint32_t action; if (!(seccomp_opts & blacklist[i].set)) { continue; } + action = qemu_seccomp_get_action(blacklist[i].set); rc = seccomp_rule_add_array(ctx, action, blacklist[i].num, blacklist[i].narg, blacklist[i].arg_cmp); if (rc < 0) { + error_setg_errno(errp, -rc, + "failed to add seccomp blacklist rules"); goto seccomp_return; } } rc = seccomp_load(ctx); + if (rc < 0) { + error_setg_errno(errp, -rc, + "failed to load seccomp syscall filter in kernel"); + } seccomp_return: seccomp_release(ctx); - return rc; + return rc < 0 ? -1 : 0; } #ifdef CONFIG_SECCOMP @@ -190,7 +218,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) * to provide a little bit of consistency for * the command line */ } else { - error_report("invalid argument for obsolete"); + error_setg(errp, "invalid argument for obsolete"); return -1; } } @@ -205,14 +233,13 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) /* calling prctl directly because we're * not sure if host has CAP_SYS_ADMIN set*/ if (prctl(PR_SET_NO_NEW_PRIVS, 1)) { - error_report("failed to set no_new_privs " - "aborting"); + error_setg(errp, "failed to set no_new_privs aborting"); return -1; } } else if (g_str_equal(value, "allow")) { /* default value */ } else { - error_report("invalid argument for elevateprivileges"); + error_setg(errp, "invalid argument for elevateprivileges"); return -1; } } @@ -224,7 +251,7 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } else if (g_str_equal(value, "allow")) { /* default value */ } else { - error_report("invalid argument for spawn"); + error_setg(errp, "invalid argument for spawn"); return -1; } } @@ -236,14 +263,12 @@ int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp) } else if (g_str_equal(value, "allow")) { /* default value */ } else { - error_report("invalid argument for resourcecontrol"); + error_setg(errp, "invalid argument for resourcecontrol"); return -1; } } - if (seccomp_start(seccomp_opts) < 0) { - error_report("failed to install seccomp syscall filter " - "in the kernel"); + if (seccomp_start(seccomp_opts, errp) < 0) { return -1; } } @@ -282,7 +307,24 @@ static QemuOptsList qemu_sandbox_opts = { static void seccomp_register(void) { - qemu_add_opts(&qemu_sandbox_opts); + bool add = false; + + /* FIXME: use seccomp_api_get() >= 2 check when released */ + +#if defined(SECCOMP_FILTER_FLAG_TSYNC) + int check; + + /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */ + check = qemu_seccomp(SECCOMP_SET_MODE_FILTER, + SECCOMP_FILTER_FLAG_TSYNC, NULL); + if (check < 0 && errno == EFAULT) { + add = true; + } +#endif + + if (add) { + qemu_add_opts(&qemu_sandbox_opts); + } } opts_init(seccomp_register); #endif