Accepting request 640126 from home:ldewey:branches:Virtualization

- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
  0043-configure-require-libseccomp-2.2.0.patch
  0044-seccomp-set-the-seccomp-filter-to-a.patch
  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
  0046-seccomp-check-TSYNC-host-capability.patch
* Adding changes to mitigate seccomp vulnerability
  (CVE-2018-15746 bsc#1106222)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
  0043-configure-require-libseccomp-2.2.0.patch
  0044-seccomp-set-the-seccomp-filter-to-a.patch
  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
  0046-seccomp-check-TSYNC-host-capability.patch
* Adding changes to mitigate seccomp vulnerability
  (CVE-2018-15746 bsc#1106222)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
  0043-configure-require-libseccomp-2.2.0.patch
  0044-seccomp-set-the-seccomp-filter-to-a.patch
  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
  0046-seccomp-check-TSYNC-host-capability.patch

OBS-URL: https://build.opensuse.org/request/show/640126
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=431
This commit is contained in:
Bruce Rogers 2018-10-05 19:07:45 +00:00 committed by Git OBS Bridge
parent c5a48fe0b5
commit 72f4642d7c
11 changed files with 372 additions and 0 deletions

View File

@ -0,0 +1,90 @@
From 6edbf80f95ecc20ced40004ce0e882e1cf756b98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Wed, 22 Aug 2018 19:02:48 +0200
Subject: [PATCH] seccomp: prefer SCMP_ACT_KILL_PROCESS if available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (https://github.com/seccomp/libseccomp/issues/96).
SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.
Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit bda08a5764d470f101fa38635d30b41179a313e1)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
---
qemu-seccomp.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 9cd8eb9499..f0c833f3ca 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -20,6 +20,7 @@
#include <sys/prctl.h>
#include <seccomp.h>
#include "sysemu/seccomp.h"
+#include <linux/seccomp.h>
/* For some architectures (notably ARM) cacheflush is not supported until
* libseccomp 2.2.3, but configure enforces that we are using a more recent
@@ -107,12 +108,40 @@ static const struct QemuSeccompSyscall blacklist[] = {
{ SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },
};
+static inline __attribute__((unused)) int
+qemu_seccomp(unsigned int operation, unsigned int flags, void *args)
+{
+#ifdef __NR_seccomp
+ return syscall(__NR_seccomp, operation, flags, args);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+static uint32_t qemu_seccomp_get_kill_action(void)
+{
+#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
+ defined(SECCOMP_RET_KILL_PROCESS)
+ {
+ uint32_t action = SECCOMP_RET_KILL_PROCESS;
+
+ if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
+ return SCMP_ACT_KILL_PROCESS;
+ }
+ }
+#endif
+
+ return SCMP_ACT_TRAP;
+}
+
static int seccomp_start(uint32_t seccomp_opts)
{
int rc = 0;
unsigned int i = 0;
scmp_filter_ctx ctx;
+ uint32_t action = qemu_seccomp_get_kill_action();
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
@@ -125,7 +154,7 @@ static int seccomp_start(uint32_t seccomp_opts)
continue;
}
- rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
+ rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
blacklist[i].narg, blacklist[i].arg_cmp);
if (rc < 0) {
goto seccomp_return;

View File

@ -0,0 +1,53 @@
From a9794287e84a87f4372a4aed027319491ec5eb68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Wed, 22 Aug 2018 19:02:49 +0200
Subject: [PATCH] configure: require libseccomp 2.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The following patch is going to require TSYNC, which is only available
since libseccomp 2.2.0.
libseccomp 2.2.0 was released February 12, 2015.
According to repology, libseccomp version in different distros:
RHEL-7: 2.3.1
Debian (Stretch): 2.3.1
OpenSUSE Leap 15: 2.3.2
Ubuntu (Xenial): 2.3.1
This will drop support for -sandbox on:
Debian (Jessie): 2.1.1 (but 2.2.3 in backports)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit d0699bd37c48067cffbd80383172efc29da6d2f9)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
---
configure | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/configure b/configure
index f08f2812e4..bceba37e90 100755
--- a/configure
+++ b/configure
@@ -2216,13 +2216,10 @@ fi
##########################################
# libseccomp check
+libseccomp_minver="2.2.0"
if test "$seccomp" != "no" ; then
case "$cpu" in
- i386|x86_64)
- libseccomp_minver="2.1.0"
- ;;
- mips)
- libseccomp_minver="2.2.0"
+ i386|x86_64|mips)
;;
arm|aarch64)
libseccomp_minver="2.2.3"

View File

@ -0,0 +1,57 @@
From e31313eacacefad16dc536b883e139a041fd2c28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Wed, 22 Aug 2018 19:02:50 +0200
Subject: [PATCH] seccomp: set the seccomp filter to all threads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When using "-seccomp on", the seccomp policy is only applied to the
main thread, the vcpu worker thread and other worker threads created
after seccomp policy is applied; the seccomp policy is not applied to
e.g. the RCU thread because it is created before the seccomp policy is
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
This can be verified with
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
Seccomp: 2
Seccomp: 0
Seccomp: 0
Seccomp: 2
Seccomp: 2
Seccomp: 2
Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
on all threads.
libseccomp requirement was bumped to 2.2.0 in previous patch.
libseccomp should fail to set the filter if it can't honour
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
kernel < 3.17.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
---
qemu-seccomp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index f0c833f3ca..4729eb107f 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -149,6 +149,11 @@ static int seccomp_start(uint32_t seccomp_opts)
goto seccomp_return;
}
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+ if (rc != 0) {
+ goto seccomp_return;
+ }
+
for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
if (!(seccomp_opts & blacklist[i].set)) {
continue;

View File

@ -0,0 +1,39 @@
From b481a5487b92fa40b74d8bf8c786a35d09eb97cd Mon Sep 17 00:00:00 2001
From: Yi Min Zhao <zyimin@linux.ibm.com>
Date: Thu, 31 May 2018 11:29:37 +0800
Subject: [PATCH] sandbox: disable -sandbox if CONFIG_SECCOMP undefined
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If CONFIG_SECCOMP is undefined, the option 'elevatedprivileges' remains
compiled. This would make libvirt set the corresponding capability and
then trigger failure during guest startup. This patch moves the code
regarding seccomp command line options to qemu-seccomp.c file and
wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP.
Because parse_sandbox() is moved into qemu-seccomp.c file, change
seccomp_start() to static function.
Signed-off-by: Yi Min Zhao <zyimin@linux.ibm.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Tested-by: Ján Tomko <jtomko@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit 9d0fdecbad130f01b602e35e87c6d3fad5821d6e)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
---
qemu-seccomp.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 4729eb107f..5507d9c4ef 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -135,7 +135,6 @@ static uint32_t qemu_seccomp_get_kill_action(void)
return SCMP_ACT_TRAP;
}
-
static int seccomp_start(uint32_t seccomp_opts)
{
int rc = 0;

View File

@ -0,0 +1,68 @@
From 79883c93023ec6d7b55cf2a3e91afcfda44e3a61 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Thu, 30 Aug 2018 16:33:48 +0200
Subject: [PATCH] seccomp: check TSYNC host capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Remove -sandbox option if the host is not capable of TSYNC, since the
sandbox will fail at setup time otherwise. This will help libvirt, for
ex, to figure out if -sandbox will work.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
(cherry picked from commit 5780760f5ea6163939a5dabe7427318b4f07d1a2)
[LD: BSC#1106222 CVE-2018-15746]
Signed-off-by: Larry Dewey <ldewey@suse.com>
---
qemu-seccomp.c | 19 ++++++++++++++++++-
vl.c | 4 ++--
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 5507d9c4ef..1d94bdaf55 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -281,7 +281,24 @@ static QemuOptsList qemu_sandbox_opts = {
static void seccomp_register(void)
{
- qemu_add_opts(&qemu_sandbox_opts);
+ bool add = false;
+
+ /* FIXME: use seccomp_api_get() >= 2 check when released */
+
+#if defined(SECCOMP_FILTER_FLAG_TSYNC)
+ int check;
+
+ /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */
+ check = qemu_seccomp(SECCOMP_SET_MODE_FILTER,
+ SECCOMP_FILTER_FLAG_TSYNC, NULL);
+ if (check < 0 && errno == EFAULT) {
+ add = true;
+ }
+#endif
+
+ if (add) {
+ qemu_add_opts(&qemu_sandbox_opts);
+ }
}
opts_init(seccomp_register);
#endif
diff --git a/vl.c b/vl.c
index 3af5bcdc9e..a0295abb3e 100644
--- a/vl.c
+++ b/vl.c
@@ -4015,8 +4015,8 @@ int main(int argc, char **argv, char **envp)
}
#ifdef CONFIG_SECCOMP
- if (qemu_opts_foreach(qemu_find_opts("sandbox"),
- parse_sandbox, NULL, NULL)) {
+ olist = qemu_find_opts_err("sandbox", NULL);
+ if (olist && qemu_opts_foreach(olist, parse_sandbox, NULL, NULL)) {
exit(1);
}
#endif

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Fri Oct 5 16:52:18 UTC 2018 - Larry Dewey <ldewey@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
0043-configure-require-libseccomp-2.2.0.patch
0044-seccomp-set-the-seccomp-filter-to-a.patch
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
0046-seccomp-check-TSYNC-host-capability.patch
-------------------------------------------------------------------
Fri Sep 21 19:35:23 UTC 2018 - Bruce Rogers <brogers@suse.com>

View File

@ -72,6 +72,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch
Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch
Patch0040: 0040-linux-headers-update.patch
Patch0041: 0041-s390x-kvm-add-etoken-facility.patch
Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
Patch0043: 0043-configure-require-libseccomp-2.2.0.patch
Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch
Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch
Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
ExcludeArch: s390
@ -144,6 +149,11 @@ syscall layer occurs on the native hardware and operating system.
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%build
./configure \

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Fri Oct 5 16:52:15 UTC 2018 - Larry Dewey <ldewey@suse.com>
* Adding changes to mitigate seccomp vulnerability
(CVE-2018-15746 bsc#1106222)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
0043-configure-require-libseccomp-2.2.0.patch
0044-seccomp-set-the-seccomp-filter-to-a.patch
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
0046-seccomp-check-TSYNC-host-capability.patch
-------------------------------------------------------------------
Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers <brogers@suse.com>

View File

@ -177,6 +177,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch
Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch
Patch0040: 0040-linux-headers-update.patch
Patch0041: 0041-s390x-kvm-add-etoken-facility.patch
Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
Patch0043: 0043-configure-require-libseccomp-2.2.0.patch
Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch
Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch
Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM.
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
pushd roms/seabios
%patch1100 -p1

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Fri Oct 5 16:52:15 UTC 2018 - Larry Dewey <ldewey@suse.com>
* Adding changes to mitigate seccomp vulnerability
(CVE-2018-15746 bsc#1106222)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
0043-configure-require-libseccomp-2.2.0.patch
0044-seccomp-set-the-seccomp-filter-to-a.patch
0045-sandbox-disable-sandbox-if-CONFIG_S.patch
0046-seccomp-check-TSYNC-host-capability.patch
-------------------------------------------------------------------
Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers <brogers@suse.com>

View File

@ -177,6 +177,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch
Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch
Patch0040: 0040-linux-headers-update.patch
Patch0041: 0041-s390x-kvm-add-etoken-facility.patch
Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
Patch0043: 0043-configure-require-libseccomp-2.2.0.patch
Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch
Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch
Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM.
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
pushd roms/seabios
%patch1100 -p1