On Wed, Aug 22, 2018 at 07:02:50PM +0200, Marc-André Lureau wrote: > When using "-seccomp on", the seccomp policy is only applied to the > main thread, the vcpu worker thread and other worker threads created > after seccomp policy is applied; the seccomp policy is not applied to > e.g. the RCU thread because it is created before the seccomp policy is > applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. > > This can be verified with > for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done > Seccomp: 2 > Seccomp: 0 > Seccomp: 0 > Seccomp: 2 > Seccomp: 2 > Seccomp: 2 > > Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use > seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy > on all threads. > > libseccomp requirement was bumped to 2.2.0 in previous patch. > libseccomp should fail to set the filter if it can't honour > SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on > kernel < 3.17. > > Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com> > --- > qemu-seccomp.c | 5 +++++ > 1 file changed, 5 insertions(+)
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
