Hi, This series fixes 2 issues with -sandbox:
- The seccomp action SCMP_ACT_KILL results in immediate termination of the thread that made the bad system call. However, qemu being multi-threaded, it keeps running. There is no easy way for parent process / management layer (libvirt) to know about that situation. Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP will terminate the program and core dump. This may not be the most secure solution, but probably better than just killing the offending thread. SCMP_ACT_KILL_PROCESS has been added in Linux 4.14 to improve the situation, which I propose to use by default if available. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1594456 - The seccomp filter isn't applied to all threads. We can solve the issue by using SECCOMP_FILTER_FLAG_TSYNC since libseccomp 2.2.0 and kernel >= 3.17. v3: - modify qemu_seccomp() to set errno=ENOSYS - add patch "seccomp: set the seccomp filter to all threads" v2: - fix clang unused inline warning - add acked-by/r-b tags Marc-André Lureau (4): seccomp: use SIGSYS signal instead of killing the thread seccomp: prefer SCMP_ACT_KILL_PROCESS if available configure: require libseccomp 2.2.0 seccomp: set the seccomp filter to all threads qemu-seccomp.c | 36 +++++++++++++++++++++++++++++++++++- configure | 7 ++----- 2 files changed, 37 insertions(+), 6 deletions(-) -- 2.18.0.547.g1d89318c48
