Hi, On 03/11/17 14:29, Laurent Vivier wrote: > Le 03/11/2017 à 13:07, James Cowgill a écrit : >> If an application tries to install a seccomp filter using >> prctl(PR_SET_SECCOMP), the filter is likely for the target instead of the >> host >> architecture. This will probably cause qemu to be immediately killed when it >> executes another syscall. >> >> Prevent this from happening by returning EINVAL from both seccomp prctl >> calls. This is the error returned by the kernel when seccomp support is >> disabled. >> >> Fixes: https://bugs.launchpad.net/qemu/+bug/1726394 >> Signed-off-by: James Cowgill <james.cowg...@mips.com> >> --- >> linux-user/syscall.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/linux-user/syscall.c b/linux-user/syscall.c >> index d4497dec5d..43cd5fb2bb 100644 >> --- a/linux-user/syscall.c >> +++ b/linux-user/syscall.c >> @@ -10482,6 +10482,10 @@ abi_long do_syscall(void *cpu_env, int num, >> abi_long arg1, >> break; >> } >> #endif >> + case PR_GET_SECCOMP: >> + case PR_SET_SECCOMP: >> + ret = -TARGET_EINVAL; >> + break; >> default: >> /* Most prctl options have no pointer arguments */ >> ret = get_errno(prctl(arg1, arg2, arg3, arg4, arg5)); >> > > I think we should allow PR_GET_SECCOMP, and at least all the modes > except SECCOMP_MODE_FILTER for PR_SET_SECCOMP.
I tried allowing SECCOMP_MODE_STRICT and made a small test program. It seems that qemu is SIGKILLed when _exit is used because qemu itself tries to call rt_sigprocmask which is not an allowed syscall. PR_GET_SECCOMP can probably be allowed. My reasoning for disabling it was to match the kernel behavior for when seccomp is disabled by the Kconfig option. Thanks, James
