From: Namsun Ch'o <namn...@safe-mail.net>
This patch introduces madvise, shmget, shmctl and its flags to the
seccomp whitelist. This prevents Qemu to break in case of using -runas
or chroot with sandbox enabled.
Signed-off-by: Namsun Ch'o <namn...@safe-mail.net>
Acked-by: Eduardo Otubo <eduardo.ot...@profitbricks.com>
---
Changelog:
v1
- Created argument filters for the madvise, shmget, and shmctl syscalls.
v1 -> v2
- Added 5 new madvise flags which were present in the source code but not in
the strace which I generated.
- Added IP_CREAT|0600 to shmget, which Daniel Berrange pointed out was
present in GTK2, which QEMU uses but does not call directly.
v2 -> v3
- Replaced include asm/mman-common.h with sys/mman.h which is more proper.
- Fixed typo where I had IP_CREAT instead of IPC_CREAT.
- Removed the comma on the last entry of the madvise_flags array.
- Removed one madvise flag (MADV_INVALID) which doesn't exist, apparently.
qemu-seccomp.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 55 insertions(+), 3 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 33644a4..e7a54e8 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -14,6 +14,8 @@
*/
#include <stdio.h>
#include <seccomp.h>
+#include <linux/ipc.h>
+#include <sys/mman.h>
#include "sysemu/seccomp.h"
struct QemuSeccompSyscall {
@@ -105,7 +107,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[]
= {
{ SCMP_SYS(rt_sigreturn), 245 },
{ SCMP_SYS(sync), 245 },
{ SCMP_SYS(pread64), 245 },
- { SCMP_SYS(madvise), 245 },
{ SCMP_SYS(set_robust_list), 245 },
{ SCMP_SYS(lseek), 245 },
{ SCMP_SYS(pselect6), 245 },
@@ -224,11 +225,9 @@ static const struct QemuSeccompSyscall seccomp_whitelist[]
= {
{ SCMP_SYS(arch_prctl), 240 },
{ SCMP_SYS(mkdir), 240 },
{ SCMP_SYS(fchmod), 240 },
- { SCMP_SYS(shmget), 240 },
{ SCMP_SYS(shmat), 240 },
{ SCMP_SYS(shmdt), 240 },
{ SCMP_SYS(timerfd_create), 240 },
- { SCMP_SYS(shmctl), 240 },
{ SCMP_SYS(mlockall), 240 },
{ SCMP_SYS(mlock), 240 },
{ SCMP_SYS(munlock), 240 },
@@ -265,6 +264,59 @@ int seccomp_start(void)
}
}
+ /* madvise */
+ static const int madvise_flags[] = {
+ MADV_DODUMP,
+ MADV_DONTDUMP,
+ MADV_UNMERGEABLE,
+ MADV_WILLNEED,
+ MADV_DONTFORK,
+ MADV_DONTNEED,
+ MADV_HUGEPAGE,
+ MADV_MERGEABLE
+ };
+ for (i = 0; i < ARRAY_SIZE(madvise_flags); i++) {
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 1,
+ SCMP_A2(SCMP_CMP_EQ, madvise_flags[i]));
+ if (rc < 0) {
+ goto seccomp_return;
+ }
+ }
+ rc = seccomp_syscall_priority(ctx, SCMP_SYS(madvise), 245);
+ if (rc < 0) {
+ goto seccomp_return;
+ }
+
+ /* shmget */
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 2,
+ SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE),
+ SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0777));
+ if (rc < 0) {
+ goto seccomp_return;
+ }
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 2,
+ SCMP_A0(SCMP_CMP_EQ, IPC_PRIVATE),
+ SCMP_A2(SCMP_CMP_EQ, IPC_CREAT|0600));
+ if (rc < 0) {
+ goto seccomp_return;
+ }
+ rc = seccomp_syscall_priority(ctx, SCMP_SYS(shmget), 240);
+ if (rc < 0) {
+ goto seccomp_return;
+ }
+
+ /* shmctl */
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2,
+ SCMP_A1(SCMP_CMP_EQ, IPC_RMID),
+ SCMP_A2(SCMP_CMP_EQ, 0));
+ if (rc < 0) {
+ goto seccomp_return;
+ }
+ rc = seccomp_syscall_priority(ctx, SCMP_SYS(shmctl), 240);
+ if (rc < 0) {
+ goto seccomp_return;
+ }
+
rc = seccomp_load(ctx);
seccomp_return:
--
2.1.4
