Accepting request 640126 from home:ldewey:branches:Virtualization

- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
  0043-configure-require-libseccomp-2.2.0.patch
  0044-seccomp-set-the-seccomp-filter-to-a.patch
  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
  0046-seccomp-check-TSYNC-host-capability.patch
* Adding changes to mitigate seccomp vulnerability
  (CVE-2018-15746 bsc#1106222)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
  0043-configure-require-libseccomp-2.2.0.patch
  0044-seccomp-set-the-seccomp-filter-to-a.patch
  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
  0046-seccomp-check-TSYNC-host-capability.patch
* Adding changes to mitigate seccomp vulnerability
  (CVE-2018-15746 bsc#1106222)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
* Patches added:
  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
  0043-configure-require-libseccomp-2.2.0.patch
  0044-seccomp-set-the-seccomp-filter-to-a.patch
  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
  0046-seccomp-check-TSYNC-host-capability.patch

OBS-URL: https://build.opensuse.org/request/show/640126
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=431

0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch

@@ -0,0 +1,90 @@
+From 6edbf80f95ecc20ced40004ce0e882e1cf756b98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 22 Aug 2018 19:02:48 +0200
+Subject: [PATCH] seccomp: prefer SCMP_ACT_KILL_PROCESS if available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
+action (https://github.com/seccomp/libseccomp/issues/96).
+
+SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
+offending process, rather than having the SIGSYS handler running.
+
+Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
+as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
+prefer SCMP_ACT_TRAP.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Acked-by: Eduardo Otubo <otubo@redhat.com>
+(cherry picked from commit bda08a5764d470f101fa38635d30b41179a313e1)
+[LD: BSC#1106222 CVE-2018-15746]
+Signed-off-by: Larry Dewey <ldewey@suse.com>
+---
+ qemu-seccomp.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index 9cd8eb9499..f0c833f3ca 100644
+--- a/qemu-seccomp.c
++++ b/qemu-seccomp.c
+@@ -20,6 +20,7 @@
+ #include <sys/prctl.h>
+ #include <seccomp.h>
+ #include "sysemu/seccomp.h"
++#include <linux/seccomp.h>
+ 
+ /* For some architectures (notably ARM) cacheflush is not supported until
+  * libseccomp 2.2.3, but configure enforces that we are using a more recent
+@@ -107,12 +108,40 @@ static const struct QemuSeccompSyscall blacklist[] = {
+     { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL },
+ };
+ 
++static inline __attribute__((unused)) int
++qemu_seccomp(unsigned int operation, unsigned int flags, void *args)
++{
++#ifdef __NR_seccomp
++    return syscall(__NR_seccomp, operation, flags, args);
++#else
++    errno = ENOSYS;
++    return -1;
++#endif
++}
++
++static uint32_t qemu_seccomp_get_kill_action(void)
++{
++#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
++    defined(SECCOMP_RET_KILL_PROCESS)
++    {
++        uint32_t action = SECCOMP_RET_KILL_PROCESS;
++
++        if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
++            return SCMP_ACT_KILL_PROCESS;
++        }
++    }
++#endif
++
++    return SCMP_ACT_TRAP;
++}
++
+ 
+ static int seccomp_start(uint32_t seccomp_opts)
+ {
+     int rc = 0;
+     unsigned int i = 0;
+     scmp_filter_ctx ctx;
++    uint32_t action = qemu_seccomp_get_kill_action();
+ 
+     ctx = seccomp_init(SCMP_ACT_ALLOW);
+     if (ctx == NULL) {
+@@ -125,7 +154,7 @@ static int seccomp_start(uint32_t seccomp_opts)
+             continue;
+         }
+ 
+-        rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
++        rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
+                                     blacklist[i].narg, blacklist[i].arg_cmp);
+         if (rc < 0) {
+             goto seccomp_return;

0043-configure-require-libseccomp-2.2.0.patch

@@ -0,0 +1,53 @@
+From a9794287e84a87f4372a4aed027319491ec5eb68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 22 Aug 2018 19:02:49 +0200
+Subject: [PATCH] configure: require libseccomp 2.2.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The following patch is going to require TSYNC, which is only available
+since libseccomp 2.2.0.
+
+libseccomp 2.2.0 was released February 12, 2015.
+
+According to repology, libseccomp version in different distros:
+
+  RHEL-7: 2.3.1
+  Debian (Stretch): 2.3.1
+  OpenSUSE Leap 15: 2.3.2
+  Ubuntu (Xenial):  2.3.1
+
+This will drop support for -sandbox on:
+
+  Debian (Jessie): 2.1.1 (but 2.2.3 in backports)
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Acked-by: Eduardo Otubo <otubo@redhat.com>
+(cherry picked from commit d0699bd37c48067cffbd80383172efc29da6d2f9)
+[LD: BSC#1106222 CVE-2018-15746]
+Signed-off-by: Larry Dewey <ldewey@suse.com>
+---
+ configure | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/configure b/configure
+index f08f2812e4..bceba37e90 100755
+--- a/configure
++++ b/configure
+@@ -2216,13 +2216,10 @@ fi
+ ##########################################
+ # libseccomp check
+ 
++libseccomp_minver="2.2.0"
+ if test "$seccomp" != "no" ; then
+     case "$cpu" in
+-    i386|x86_64)
+-        libseccomp_minver="2.1.0"
+-        ;;
+-    mips)
+-        libseccomp_minver="2.2.0"
++    i386|x86_64|mips)
+         ;;
+     arm|aarch64)
+         libseccomp_minver="2.2.3"

0044-seccomp-set-the-seccomp-filter-to-a.patch

@@ -0,0 +1,57 @@
+From e31313eacacefad16dc536b883e139a041fd2c28 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 22 Aug 2018 19:02:50 +0200
+Subject: [PATCH] seccomp: set the seccomp filter to all threads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When using "-seccomp on", the seccomp policy is only applied to the
+main thread, the vcpu worker thread and other worker threads created
+after seccomp policy is applied; the seccomp policy is not applied to
+e.g. the RCU thread because it is created before the seccomp policy is
+applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
+
+This can be verified with
+for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
+Seccomp:	2
+Seccomp:	0
+Seccomp:	0
+Seccomp:	2
+Seccomp:	2
+Seccomp:	2
+
+Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
+seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
+on all threads.
+
+libseccomp requirement was bumped to 2.2.0 in previous patch.
+libseccomp should fail to set the filter if it can't honour
+SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
+kernel < 3.17.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Acked-by: Eduardo Otubo <otubo@redhat.com>
+(cherry picked from commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114)
+[LD: BSC#1106222 CVE-2018-15746]
+Signed-off-by: Larry Dewey <ldewey@suse.com>
+---
+ qemu-seccomp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index f0c833f3ca..4729eb107f 100644
+--- a/qemu-seccomp.c
++++ b/qemu-seccomp.c
+@@ -149,6 +149,11 @@ static int seccomp_start(uint32_t seccomp_opts)
+         goto seccomp_return;
+     }
+ 
++    rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
++    if (rc != 0) {
++        goto seccomp_return;
++    }
++
+     for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
+         if (!(seccomp_opts & blacklist[i].set)) {
+             continue;

0045-sandbox-disable-sandbox-if-CONFIG_S.patch

@@ -0,0 +1,39 @@
+From b481a5487b92fa40b74d8bf8c786a35d09eb97cd Mon Sep 17 00:00:00 2001
+From: Yi Min Zhao <zyimin@linux.ibm.com>
+Date: Thu, 31 May 2018 11:29:37 +0800
+Subject: [PATCH] sandbox: disable -sandbox if CONFIG_SECCOMP undefined
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If CONFIG_SECCOMP is undefined, the option 'elevatedprivileges' remains
+compiled. This would make libvirt set the corresponding capability and
+then trigger failure during guest startup. This patch moves the code
+regarding seccomp command line options to qemu-seccomp.c file and
+wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP.
+Because parse_sandbox() is moved into qemu-seccomp.c file, change
+seccomp_start() to static function.
+
+Signed-off-by: Yi Min Zhao <zyimin@linux.ibm.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Tested-by: Ján Tomko <jtomko@redhat.com>
+Acked-by: Eduardo Otubo <otubo@redhat.com>
+(cherry picked from commit 9d0fdecbad130f01b602e35e87c6d3fad5821d6e)
+[LD: BSC#1106222 CVE-2018-15746]
+Signed-off-by: Larry Dewey <ldewey@suse.com>
+---
+ qemu-seccomp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index 4729eb107f..5507d9c4ef 100644
+--- a/qemu-seccomp.c
++++ b/qemu-seccomp.c
+@@ -135,7 +135,6 @@ static uint32_t qemu_seccomp_get_kill_action(void)
+     return SCMP_ACT_TRAP;
+ }
+ 
+-
+ static int seccomp_start(uint32_t seccomp_opts)
+ {
+     int rc = 0;

0046-seccomp-check-TSYNC-host-capability.patch

@@ -0,0 +1,68 @@
+From 79883c93023ec6d7b55cf2a3e91afcfda44e3a61 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Thu, 30 Aug 2018 16:33:48 +0200
+Subject: [PATCH] seccomp: check TSYNC host capability
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Remove -sandbox option if the host is not capable of TSYNC, since the
+sandbox will fail at setup time otherwise. This will help libvirt, for
+ex, to figure out if -sandbox will work.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Eduardo Otubo <otubo@redhat.com>
+Acked-by: Eduardo Otubo <otubo@redhat.com>
+(cherry picked from commit 5780760f5ea6163939a5dabe7427318b4f07d1a2)
+[LD: BSC#1106222 CVE-2018-15746]
+Signed-off-by: Larry Dewey <ldewey@suse.com>
+---
+ qemu-seccomp.c | 19 ++++++++++++++++++-
+ vl.c           |  4 ++--
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index 5507d9c4ef..1d94bdaf55 100644
+--- a/qemu-seccomp.c
++++ b/qemu-seccomp.c
+@@ -281,7 +281,24 @@ static QemuOptsList qemu_sandbox_opts = {
+ 
+ static void seccomp_register(void)
+ {
+-    qemu_add_opts(&qemu_sandbox_opts);
++    bool add = false;
++
++    /* FIXME: use seccomp_api_get() >= 2 check when released */
++
++#if defined(SECCOMP_FILTER_FLAG_TSYNC)
++    int check;
++
++    /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */
++    check = qemu_seccomp(SECCOMP_SET_MODE_FILTER,
++                         SECCOMP_FILTER_FLAG_TSYNC, NULL);
++    if (check < 0 && errno == EFAULT) {
++        add = true;
++    }
++#endif
++
++    if (add) {
++        qemu_add_opts(&qemu_sandbox_opts);
++    }
+ }
+ opts_init(seccomp_register);
+ #endif
+diff --git a/vl.c b/vl.c
+index 3af5bcdc9e..a0295abb3e 100644
+--- a/vl.c
++++ b/vl.c
+@@ -4015,8 +4015,8 @@ int main(int argc, char **argv, char **envp)
+     }
+ 
+ #ifdef CONFIG_SECCOMP
+-    if (qemu_opts_foreach(qemu_find_opts("sandbox"),
+-                          parse_sandbox, NULL, NULL)) {
++    olist = qemu_find_opts_err("sandbox", NULL);
++    if (olist && qemu_opts_foreach(olist, parse_sandbox, NULL, NULL)) {
+         exit(1);
+     }
+ #endif

qemu-linux-user.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Oct  5 16:52:18 UTC 2018 - Larry Dewey <ldewey@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
+* Patches added:
+  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
+  0043-configure-require-libseccomp-2.2.0.patch
+  0044-seccomp-set-the-seccomp-filter-to-a.patch
+  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
+  0046-seccomp-check-TSYNC-host-capability.patch
+
 -------------------------------------------------------------------
 Fri Sep 21 19:35:23 UTC 2018 - Bruce Rogers <brogers@suse.com>
 

qemu-linux-user.spec

@@ -72,6 +72,11 @@ Patch0038:      0038-xen-add-block-resize-support-for-xe.patch
 Patch0039:      0039-tests-boot-serial-test-Bump-timeout.patch
 Patch0040:      0040-linux-headers-update.patch
 Patch0041:      0041-s390x-kvm-add-etoken-facility.patch
+Patch0042:      0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
+Patch0043:      0043-configure-require-libseccomp-2.2.0.patch
+Patch0044:      0044-seccomp-set-the-seccomp-filter-to-a.patch
+Patch0045:      0045-sandbox-disable-sandbox-if-CONFIG_S.patch
+Patch0046:      0046-seccomp-check-TSYNC-host-capability.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 ExcludeArch:    s390
@@ -144,6 +149,11 @@ syscall layer occurs on the native hardware and operating system.
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
+%patch0042 -p1
+%patch0043 -p1
+%patch0044 -p1
+%patch0045 -p1
+%patch0046 -p1
 
 %build
 ./configure \

qemu-testsuite.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Fri Oct  5 16:52:15 UTC 2018 - Larry Dewey <ldewey@suse.com>
+* Adding changes to mitigate seccomp vulnerability
+  (CVE-2018-15746 bsc#1106222)
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
+* Patches added:
+  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
+  0043-configure-require-libseccomp-2.2.0.patch
+  0044-seccomp-set-the-seccomp-filter-to-a.patch
+  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
+  0046-seccomp-check-TSYNC-host-capability.patch
+
 -------------------------------------------------------------------
 Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers <brogers@suse.com>
 

qemu-testsuite.spec

@@ -177,6 +177,11 @@ Patch0038:      0038-xen-add-block-resize-support-for-xe.patch
 Patch0039:      0039-tests-boot-serial-test-Bump-timeout.patch
 Patch0040:      0040-linux-headers-update.patch
 Patch0041:      0041-s390x-kvm-add-etoken-facility.patch
+Patch0042:      0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
+Patch0043:      0043-configure-require-libseccomp-2.2.0.patch
+Patch0044:      0044-seccomp-set-the-seccomp-filter-to-a.patch
+Patch0045:      0045-sandbox-disable-sandbox-if-CONFIG_S.patch
+Patch0046:      0046-seccomp-check-TSYNC-host-capability.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM.
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
+%patch0042 -p1
+%patch0043 -p1
+%patch0044 -p1
+%patch0045 -p1
+%patch0046 -p1
 
 pushd roms/seabios
 %patch1100 -p1

qemu.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Fri Oct  5 16:52:15 UTC 2018 - Larry Dewey <ldewey@suse.com>
+* Adding changes to mitigate seccomp vulnerability
+  (CVE-2018-15746 bsc#1106222)
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0
+* Patches added:
+  0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
+  0043-configure-require-libseccomp-2.2.0.patch
+  0044-seccomp-set-the-seccomp-filter-to-a.patch
+  0045-sandbox-disable-sandbox-if-CONFIG_S.patch
+  0046-seccomp-check-TSYNC-host-capability.patch
+
 -------------------------------------------------------------------
 Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers <brogers@suse.com>
 

qemu.spec

@@ -177,6 +177,11 @@ Patch0038:      0038-xen-add-block-resize-support-for-xe.patch
 Patch0039:      0039-tests-boot-serial-test-Bump-timeout.patch
 Patch0040:      0040-linux-headers-update.patch
 Patch0041:      0041-s390x-kvm-add-etoken-facility.patch
+Patch0042:      0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch
+Patch0043:      0043-configure-require-libseccomp-2.2.0.patch
+Patch0044:      0044-seccomp-set-the-seccomp-filter-to-a.patch
+Patch0045:      0045-sandbox-disable-sandbox-if-CONFIG_S.patch
+Patch0046:      0046-seccomp-check-TSYNC-host-capability.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM.
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
+%patch0042 -p1
+%patch0043 -p1
+%patch0044 -p1
+%patch0045 -p1
+%patch0046 -p1
 
 pushd roms/seabios
 %patch1100 -p1