On 11/01/2012 05:43 PM, Paul Moore wrote:
On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote:
According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist whenn using Qemu with Libvirt.
[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162
v2: Adding new syscalls to the list: readlink, rt_sigpending, and
rt_sigtimedwait
Reported-by: Paul Moore <pmo...@redhat.com>
Signed-off-by: Eduardo Otubo <ot...@linux.vnet.ibm.com>
---
qemu-seccomp.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
I had an opportunity to test this patchset on a F17 machine using QEMU 1.2 and
unfortunately it still fails. I'm using a relatively basic guest
configuration running F16, the details are documented in the RH BZ that
Eduardo mentioned in the patch description.
Paul, Here's the latest diff for the whitelist. We're looking to get
the patches out in the next few days after a bit more testing.
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 64329a3..81aaf74 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -45,6 +45,12 @@ static const struct QemuSeccompSyscall
seccomp_whitelist[] = {
{ SCMP_SYS(access), 245 },
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
+ { SCMP_SYS(getrlimit), 245 },
+ { SCMP_SYS(set_tid_address), 245 },
+ { SCMP_SYS(socketpair), 245 },
+ { SCMP_SYS(statfs), 245 },
+ { SCMP_SYS(unlink), 245 },
+ { SCMP_SYS(wait4), 245 },
#if defined(__i386__)
{ SCMP_SYS(fcntl64), 245 },
{ SCMP_SYS(fstat64), 245 },
@@ -59,6 +65,8 @@ static const struct QemuSeccompSyscall
seccomp_whitelist[] = {
{ SCMP_SYS(mmap2), 245},
{ SCMP_SYS(sigprocmask), 245 },
#elif defined(__x86_64__)
+ { SCMP_SYS(semget), 245},
+#endif
{ SCMP_SYS(sched_getparam), 245},
{ SCMP_SYS(sched_getscheduler), 245},
{ SCMP_SYS(fstat), 245},
@@ -69,11 +77,15 @@ static const struct QemuSeccompSyscall
seccomp_whitelist[] = {
{ SCMP_SYS(socket), 245},
{ SCMP_SYS(setsockopt), 245},
{ SCMP_SYS(uname), 245},
- { SCMP_SYS(semget), 245},
-#endif
{ SCMP_SYS(eventfd2), 245 },
{ SCMP_SYS(dup), 245 },
+ { SCMP_SYS(dup2), 245 },
+ { SCMP_SYS(dup3), 245 },
{ SCMP_SYS(gettid), 245 },
+ { SCMP_SYS(getgid), 245 },
+ { SCMP_SYS(getegid), 245 },
+ { SCMP_SYS(getuid), 245 },
+ { SCMP_SYS(geteuid), 245 },
{ SCMP_SYS(timer_create), 245 },
{ SCMP_SYS(exit), 245 },
{ SCMP_SYS(clock_gettime), 245 },
@@ -107,7 +119,22 @@ static const struct QemuSeccompSyscall
seccomp_whitelist[] = {
{ SCMP_SYS(getsockname), 242 },
{ SCMP_SYS(getpeername), 242 },
{ SCMP_SYS(fdatasync), 242 },
- { SCMP_SYS(close), 242 }
+ { SCMP_SYS(close), 242 },
+ { SCMP_SYS(accept4), 242 },
+ { SCMP_SYS(rt_sigpending), 242 },
+ { SCMP_SYS(rt_sigtimedwait), 242 },
+ { SCMP_SYS(readv), 242 },
+ { SCMP_SYS(writev), 242 },
+ { SCMP_SYS(preadv), 242 },
+ { SCMP_SYS(pwritev), 242 },
+ { SCMP_SYS(setrlimit), 242 },
+ { SCMP_SYS(ftruncate), 242 },
+ { SCMP_SYS(lstat), 242 },
+ { SCMP_SYS(pipe), 242 },
+ { SCMP_SYS(umask), 242 },
+ { SCMP_SYS(chdir), 242 },
+ { SCMP_SYS(setitimer), 242 },
+ { SCMP_SYS(setsid), 242 }
};
Regards,
Corey Bryant
