* Contributions after 2012-01-13 are licensed under the terms of the
* GNU GPL, version 2 or (at your option) any later version.
*/
+
#include "qemu/osdep.h"
+#include "qapi/error.h"
#include "qemu/config-file.h"
#include "qemu/option.h"
#include "qemu/module.h"
-#include "qemu/error-report.h"
#include <sys/prctl.h>
#include <seccomp.h>
#include "sysemu/seccomp.h"
+#include <linux/seccomp.h>
/* For some architectures (notably ARM) cacheflush is not supported until
* libseccomp 2.2.3, but configure enforces that we are using a more recent
};
const struct scmp_arg_cmp sched_setscheduler_arg[] = {
- SCMP_A1(SCMP_CMP_NE, SCHED_IDLE)
+ /* was SCMP_A1(SCMP_CMP_NE, SCHED_IDLE), but expanded due to GCC 4.x bug */
+ { .arg = 1, .op = SCMP_CMP_NE, .datum_a = SCHED_IDLE }
};
static const struct QemuSeccompSyscall blacklist[] = {
{ SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },
};
+static inline __attribute__((unused)) int
+qemu_seccomp(unsigned int operation, unsigned int flags, void *args)
+{
+#ifdef __NR_seccomp
+ return syscall(__NR_seccomp, operation, flags, args);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+static uint32_t qemu_seccomp_get_action(int set)
+{
+ switch (set) {
+ case QEMU_SECCOMP_SET_DEFAULT:
+ case QEMU_SECCOMP_SET_OBSOLETE:
+ case QEMU_SECCOMP_SET_PRIVILEGED:
+ case QEMU_SECCOMP_SET_SPAWN: {
+#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
+ defined(SECCOMP_RET_KILL_PROCESS)
+ static int kill_process = -1;
+ if (kill_process == -1) {
+ uint32_t action = SECCOMP_RET_KILL_PROCESS;
+
+ if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
+ kill_process = 1;
+ }
+ kill_process = 0;
+ }
+ if (kill_process == 1) {
+ return SCMP_ACT_KILL_PROCESS;
+ }
+#endif
+ return SCMP_ACT_TRAP;
+ }
+
+ case QEMU_SECCOMP_SET_RESOURCECTL:
+ return SCMP_ACT_ERRNO(EPERM);
+
+ default:
+ g_assert_not_reached();
+ }
+}
-static int seccomp_start(uint32_t seccomp_opts)
+
+static int seccomp_start(uint32_t seccomp_opts, Error **errp)
{
- int rc = 0;
+ int rc = -1;
unsigned int i = 0;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
- rc = -1;
+ error_setg(errp, "failed to initialize seccomp context");
+ goto seccomp_return;
+ }
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+ if (rc != 0) {
+ error_setg_errno(errp, -rc,
+ "failed to set seccomp thread synchronization");
goto seccomp_return;
}
for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
+ uint32_t action;
if (!(seccomp_opts & blacklist[i].set)) {
continue;
}
- rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num,
+ action = qemu_seccomp_get_action(blacklist[i].set);
+ rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
blacklist[i].narg, blacklist[i].arg_cmp);
if (rc < 0) {
+ error_setg_errno(errp, -rc,
+ "failed to add seccomp blacklist rules");
goto seccomp_return;
}
}
rc = seccomp_load(ctx);
+ if (rc < 0) {
+ error_setg_errno(errp, -rc,
+ "failed to load seccomp syscall filter in kernel");
+ }
seccomp_return:
seccomp_release(ctx);
- return rc;
+ return rc < 0 ? -1 : 0;
}
#ifdef CONFIG_SECCOMP
* to provide a little bit of consistency for
* the command line */
} else {
- error_report("invalid argument for obsolete");
+ error_setg(errp, "invalid argument for obsolete");
return -1;
}
}
/* calling prctl directly because we're
* not sure if host has CAP_SYS_ADMIN set*/
if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {
- error_report("failed to set no_new_privs "
- "aborting");
+ error_setg(errp, "failed to set no_new_privs aborting");
return -1;
}
} else if (g_str_equal(value, "allow")) {
/* default value */
} else {
- error_report("invalid argument for elevateprivileges");
+ error_setg(errp, "invalid argument for elevateprivileges");
return -1;
}
}
} else if (g_str_equal(value, "allow")) {
/* default value */
} else {
- error_report("invalid argument for spawn");
+ error_setg(errp, "invalid argument for spawn");
return -1;
}
}
} else if (g_str_equal(value, "allow")) {
/* default value */
} else {
- error_report("invalid argument for resourcecontrol");
+ error_setg(errp, "invalid argument for resourcecontrol");
return -1;
}
}
- if (seccomp_start(seccomp_opts) < 0) {
- error_report("failed to install seccomp syscall filter "
- "in the kernel");
+ if (seccomp_start(seccomp_opts, errp) < 0) {
return -1;
}
}
static void seccomp_register(void)
{
- qemu_add_opts(&qemu_sandbox_opts);
+ bool add = false;
+
+ /* FIXME: use seccomp_api_get() >= 2 check when released */
+
+#if defined(SECCOMP_FILTER_FLAG_TSYNC)
+ int check;
+
+ /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */
+ check = qemu_seccomp(SECCOMP_SET_MODE_FILTER,
+ SECCOMP_FILTER_FLAG_TSYNC, NULL);
+ if (check < 0 && errno == EFAULT) {
+ add = true;
+ }
+#endif
+
+ if (add) {
+ qemu_add_opts(&qemu_sandbox_opts);
+ }
}
opts_init(seccomp_register);
#endif
projects / qemu.git / blobdiff