72f4642d7c
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 * Patches added: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch 0043-configure-require-libseccomp-2.2.0.patch 0044-seccomp-set-the-seccomp-filter-to-a.patch 0045-sandbox-disable-sandbox-if-CONFIG_S.patch 0046-seccomp-check-TSYNC-host-capability.patch * Adding changes to mitigate seccomp vulnerability (CVE-2018-15746 bsc#1106222) - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 * Patches added: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch 0043-configure-require-libseccomp-2.2.0.patch 0044-seccomp-set-the-seccomp-filter-to-a.patch 0045-sandbox-disable-sandbox-if-CONFIG_S.patch 0046-seccomp-check-TSYNC-host-capability.patch * Adding changes to mitigate seccomp vulnerability (CVE-2018-15746 bsc#1106222) - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 * Patches added: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch 0043-configure-require-libseccomp-2.2.0.patch 0044-seccomp-set-the-seccomp-filter-to-a.patch 0045-sandbox-disable-sandbox-if-CONFIG_S.patch 0046-seccomp-check-TSYNC-host-capability.patch OBS-URL: https://build.opensuse.org/request/show/640126 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=431
58 lines
1.9 KiB
Diff
58 lines
1.9 KiB
Diff
From e31313eacacefad16dc536b883e139a041fd2c28 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
|
Date: Wed, 22 Aug 2018 19:02:50 +0200
|
|
Subject: [PATCH] seccomp: set the seccomp filter to all threads
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
When using "-seccomp on", the seccomp policy is only applied to the
|
|
main thread, the vcpu worker thread and other worker threads created
|
|
after seccomp policy is applied; the seccomp policy is not applied to
|
|
e.g. the RCU thread because it is created before the seccomp policy is
|
|
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
|
|
|
|
This can be verified with
|
|
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
|
|
Seccomp: 2
|
|
Seccomp: 0
|
|
Seccomp: 0
|
|
Seccomp: 2
|
|
Seccomp: 2
|
|
Seccomp: 2
|
|
|
|
Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
|
|
seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
|
|
on all threads.
|
|
|
|
libseccomp requirement was bumped to 2.2.0 in previous patch.
|
|
libseccomp should fail to set the filter if it can't honour
|
|
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
|
|
kernel < 3.17.
|
|
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
Acked-by: Eduardo Otubo <otubo@redhat.com>
|
|
(cherry picked from commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114)
|
|
[LD: BSC#1106222 CVE-2018-15746]
|
|
Signed-off-by: Larry Dewey <ldewey@suse.com>
|
|
---
|
|
qemu-seccomp.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
|
index f0c833f3ca..4729eb107f 100644
|
|
--- a/qemu-seccomp.c
|
|
+++ b/qemu-seccomp.c
|
|
@@ -149,6 +149,11 @@ static int seccomp_start(uint32_t seccomp_opts)
|
|
goto seccomp_return;
|
|
}
|
|
|
|
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
|
|
+ if (rc != 0) {
|
|
+ goto seccomp_return;
|
|
+ }
|
|
+
|
|
for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
|
|
if (!(seccomp_opts & blacklist[i].set)) {
|
|
continue;
|