1. 15 Sep, 2017 5 commits
  2. 21 Sep, 2016 1 commit
  3. 16 Apr, 2016 2 commits
  4. 04 Feb, 2016 1 commit
    • Peter Maydell's avatar
      all: Clean up includes · d38ea87a
      Peter Maydell authored
      Clean up includes so that osdep.h is included first and headers
      which it implies are not included manually.
      
      This commit was created with scripts/clean-includes.
      Signed-off-by: 's avatarPeter Maydell <peter.maydell@linaro.org>
      Message-id: 1454089805-5470-16-git-send-email-peter.maydell@linaro.org
      d38ea87a
  5. 16 Nov, 2015 1 commit
  6. 22 Oct, 2015 1 commit
  7. 23 Jan, 2015 1 commit
  8. 05 Jan, 2015 1 commit
  9. 11 Nov, 2014 1 commit
    • Philipp Gesang's avatar
      seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch() · f73adec7
      Philipp Gesang authored
      fallocate() is needed for snapshotting. If it isn’t whitelisted
      
          $ qemu-img create -f qcow2 x.qcow 1G
          Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off
          $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
          QEMU 2.1.50 monitor - type 'help' for more information
          (qemu) savevm foo
          (qemu) loadvm foo
      
      will fail, as will subsequent savevm commands on the same image.
      
      fadvise64(), inotify_init1(), inotify_add_watch() are needed by
      the SDL display. Without the whitelist entries,
      
          qemu-kvm -sandbox on
      
      fails immediately.
      
      In my tests fadvise64() is called 50--51 times per VM run. That
      number seems independent of the duration of the run. fallocate(),
      inotify_init1(), inotify_add_watch() are called once each.
      Accordingly, they are added to the whitelist at a very low
      priority.
      Signed-off-by: 's avatarPhilipp Gesang <philipp.gesang@intra2net.com>
      Signed-off-by: 's avatarEduardo Otubo <eduardo.otubo@profitbricks.com>
      f73adec7
  10. 21 Aug, 2014 1 commit
  11. 25 Apr, 2014 2 commits
    • Paul Moore's avatar
      seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist · e3f9bb01
      Paul Moore authored
      Additional testing reveals that PulseAudio requires shmctl() and the
      mlock()/munlock() syscalls on some systems/configurations.  As before,
      on systems that do require these syscalls, the problem can be seen with
      the following command line:
      
        # qemu -monitor stdio  -sandbox on \
               -device intel-hda -device hda-duplex
      Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: 's avatarEduardo Otubo <otubo@linux.vnet.ibm.com>
      e3f9bb01
    • Felix Geyer's avatar
      seccomp: add timerfd_create and timerfd_settime to the whitelist · 84397618
      Felix Geyer authored
      libusb calls timerfd_create() and timerfd_settime() when it's built with
      timerfd support.
      
      Command to reproduce:
      
             -device usb-host,hostbus=1,hostaddr=3,id=hostdev0
      
      Log messages:
      
      audit(1390730418.924:135): auid=4294967295 uid=121 gid=103 ses=4294967295
                                 pid=5232 comm="qemu-system-x86" sig=31 syscall=283
                                 compat=0 ip=0x7f2b0f4e96a7 code=0x0
      audit(1390733100.580:142): auid=4294967295 uid=121 gid=103 ses=4294967295
                                 pid=16909 comm="qemu-system-x86" sig=31 syscall=286
                                 compat=0 ip=0x7f03513a06da code=0x0
      
      Reading a few hundred MB from a USB drive on x86_64 shows this syscall distribution.
      Therefore the timerfd_settime priority is set to 242.
      
          calls  syscall
       --------- ----------------
         5303600 write
         2240554 read
         2167030 ppoll
         2134828 ioctl
          704023 timerfd_settime
          689105 poll
           83122 futex
             803 writev
             476 rt_sigprocmask
             287 recvmsg
             178 brk
      Signed-off-by: 's avatarFelix Geyer <debfx@fobos.de>
      Signed-off-by: 's avatarEduardo Otubo <otubo@linux.vnet.ibm.com>
      84397618
  12. 20 Jan, 2014 2 commits
    • Paul Moore's avatar
      seccomp: add some basic shared memory syscalls to the whitelist · 918b94e2
      Paul Moore authored
      PulseAudio requires the use of shared memory so add shmget(), shmat(),
      and shmdt() to the syscall whitelist.
      
      Reported-by: xuhan@redhat.com
      Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
      918b94e2
    • Paul Moore's avatar
      seccomp: add mkdir() and fchmod() to the whitelist · 0c2acb16
      Paul Moore authored
      The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
      "/run/user/<UID>/pulse" which is currently blocked by the syscall
      filter; this patch adds the two missing syscalls to the whitelist.
      You can reproduce this problem with the following command:
      
       # qemu -monitor stdio -device intel-hda -device hda-duplex
      
      If watched under strace the following syscalls are shown:
      
       mkdir("/run/user/0/pulse", 0700)
       fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]
      
      Reported-by: xuhan@redhat.com
      Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
      0c2acb16
  13. 20 Dec, 2013 1 commit
  14. 03 Dec, 2013 1 commit
  15. 24 Sep, 2013 1 commit
  16. 30 Jul, 2013 2 commits
  17. 26 Jul, 2013 2 commits
  18. 30 May, 2013 1 commit
  19. 19 Dec, 2012 1 commit
  20. 30 Nov, 2012 1 commit
  21. 16 Aug, 2012 1 commit
    • Eduardo Otubo's avatar
      Adding qemu-seccomp.[ch] (v8) · 2f668be7
      Eduardo Otubo authored
      Signed-off-by: 's avatarEduardo Otubo <otubo@linux.vnet.ibm.com>
      Signed-off-by: 's avatarAnthony Liguori <aliguori@us.ibm.com>
      ---
      v1:
       - I added a syscall struct using priority levels as described in the
         libseccomp man page. The priority numbers are based to the frequency
         they appear in a sample strace from a regular qemu guest run under
         libvirt.
      
         Libseccomp generates linear BPF code to filter system calls, those rules
         are read one after another. The priority system places the most common
         rules first in order to reduce the overhead when processing them.
      
      v1 -> v2:
       - Fixed some style issues
       - Removed code from vl.c and created qemu-seccomp.[ch]
       - Now using ARRAY_SIZE macro
       - Added more syscalls without priority/frequency set yet
      
      v2 -> v3:
       - Adding copyright and license information
       - Replacing seccomp_whitelist_count just by ARRAY_SIZE
       - Adding header protection to qemu-seccomp.h
       - Moving QemuSeccompSyscall definition to qemu-seccomp.c
       - Negative return from seccomp_start is fatal now.
       - Adding open() and execve() to the whitelis
      
      v3 -> v4:
       - Tests revealed a bigger set of syscalls.
       - seccomp_start() now has an argument to set the mode according to the
         configure option trap or kill.
      
      v4 -> v5:
       - Tests on x86_64 required a new specific set of system calls.
       - libseccomp release 1.0.0: part of the API have changed in this last
         release, had to adapt to the new function signatures.
      2f668be7