diff --git a/0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch b/0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch new file mode 100644 index 00000000..c3f4f1d3 --- /dev/null +++ b/0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch @@ -0,0 +1,90 @@ +From 6edbf80f95ecc20ced40004ce0e882e1cf756b98 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 22 Aug 2018 19:02:48 +0200 +Subject: [PATCH] seccomp: prefer SCMP_ACT_KILL_PROCESS if available +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS +action (https://github.com/seccomp/libseccomp/issues/96). + +SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the +offending process, rather than having the SIGSYS handler running. + +Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support, +as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still +prefer SCMP_ACT_TRAP. + +Signed-off-by: Marc-André Lureau +Reviewed-by: Daniel P. Berrangé +Acked-by: Eduardo Otubo +(cherry picked from commit bda08a5764d470f101fa38635d30b41179a313e1) +[LD: BSC#1106222 CVE-2018-15746] +Signed-off-by: Larry Dewey +--- + qemu-seccomp.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index 9cd8eb9499..f0c833f3ca 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -20,6 +20,7 @@ + #include + #include + #include "sysemu/seccomp.h" ++#include + + /* For some architectures (notably ARM) cacheflush is not supported until + * libseccomp 2.2.3, but configure enforces that we are using a more recent +@@ -107,12 +108,40 @@ static const struct QemuSeccompSyscall blacklist[] = { + { SCMP_SYS(sched_get_priority_min), QEMU_SECCOMP_SET_RESOURCECTL }, + }; + ++static inline __attribute__((unused)) int ++qemu_seccomp(unsigned int operation, unsigned int flags, void *args) ++{ ++#ifdef __NR_seccomp ++ return syscall(__NR_seccomp, operation, flags, args); ++#else ++ errno = ENOSYS; ++ return -1; ++#endif ++} ++ ++static uint32_t qemu_seccomp_get_kill_action(void) ++{ ++#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \ ++ defined(SECCOMP_RET_KILL_PROCESS) ++ { ++ uint32_t action = SECCOMP_RET_KILL_PROCESS; ++ ++ if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { ++ return SCMP_ACT_KILL_PROCESS; ++ } ++ } ++#endif ++ ++ return SCMP_ACT_TRAP; ++} ++ + + static int seccomp_start(uint32_t seccomp_opts) + { + int rc = 0; + unsigned int i = 0; + scmp_filter_ctx ctx; ++ uint32_t action = qemu_seccomp_get_kill_action(); + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) { +@@ -125,7 +154,7 @@ static int seccomp_start(uint32_t seccomp_opts) + continue; + } + +- rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num, ++ rc = seccomp_rule_add_array(ctx, action, blacklist[i].num, + blacklist[i].narg, blacklist[i].arg_cmp); + if (rc < 0) { + goto seccomp_return; diff --git a/0043-configure-require-libseccomp-2.2.0.patch b/0043-configure-require-libseccomp-2.2.0.patch new file mode 100644 index 00000000..5c70fa09 --- /dev/null +++ b/0043-configure-require-libseccomp-2.2.0.patch @@ -0,0 +1,53 @@ +From a9794287e84a87f4372a4aed027319491ec5eb68 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 22 Aug 2018 19:02:49 +0200 +Subject: [PATCH] configure: require libseccomp 2.2.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The following patch is going to require TSYNC, which is only available +since libseccomp 2.2.0. + +libseccomp 2.2.0 was released February 12, 2015. + +According to repology, libseccomp version in different distros: + + RHEL-7: 2.3.1 + Debian (Stretch): 2.3.1 + OpenSUSE Leap 15: 2.3.2 + Ubuntu (Xenial): 2.3.1 + +This will drop support for -sandbox on: + + Debian (Jessie): 2.1.1 (but 2.2.3 in backports) + +Signed-off-by: Marc-André Lureau +Acked-by: Eduardo Otubo +(cherry picked from commit d0699bd37c48067cffbd80383172efc29da6d2f9) +[LD: BSC#1106222 CVE-2018-15746] +Signed-off-by: Larry Dewey +--- + configure | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/configure b/configure +index f08f2812e4..bceba37e90 100755 +--- a/configure ++++ b/configure +@@ -2216,13 +2216,10 @@ fi + ########################################## + # libseccomp check + ++libseccomp_minver="2.2.0" + if test "$seccomp" != "no" ; then + case "$cpu" in +- i386|x86_64) +- libseccomp_minver="2.1.0" +- ;; +- mips) +- libseccomp_minver="2.2.0" ++ i386|x86_64|mips) + ;; + arm|aarch64) + libseccomp_minver="2.2.3" diff --git a/0044-seccomp-set-the-seccomp-filter-to-a.patch b/0044-seccomp-set-the-seccomp-filter-to-a.patch new file mode 100644 index 00000000..9bc2951c --- /dev/null +++ b/0044-seccomp-set-the-seccomp-filter-to-a.patch @@ -0,0 +1,57 @@ +From e31313eacacefad16dc536b883e139a041fd2c28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 22 Aug 2018 19:02:50 +0200 +Subject: [PATCH] seccomp: set the seccomp filter to all threads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When using "-seccomp on", the seccomp policy is only applied to the +main thread, the vcpu worker thread and other worker threads created +after seccomp policy is applied; the seccomp policy is not applied to +e.g. the RCU thread because it is created before the seccomp policy is +applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. + +This can be verified with +for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done +Seccomp: 2 +Seccomp: 0 +Seccomp: 0 +Seccomp: 2 +Seccomp: 2 +Seccomp: 2 + +Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use +seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy +on all threads. + +libseccomp requirement was bumped to 2.2.0 in previous patch. +libseccomp should fail to set the filter if it can't honour +SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on +kernel < 3.17. + +Signed-off-by: Marc-André Lureau +Acked-by: Eduardo Otubo +(cherry picked from commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114) +[LD: BSC#1106222 CVE-2018-15746] +Signed-off-by: Larry Dewey +--- + qemu-seccomp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index f0c833f3ca..4729eb107f 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -149,6 +149,11 @@ static int seccomp_start(uint32_t seccomp_opts) + goto seccomp_return; + } + ++ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); ++ if (rc != 0) { ++ goto seccomp_return; ++ } ++ + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { + if (!(seccomp_opts & blacklist[i].set)) { + continue; diff --git a/0045-sandbox-disable-sandbox-if-CONFIG_S.patch b/0045-sandbox-disable-sandbox-if-CONFIG_S.patch new file mode 100644 index 00000000..0cca845c --- /dev/null +++ b/0045-sandbox-disable-sandbox-if-CONFIG_S.patch @@ -0,0 +1,39 @@ +From b481a5487b92fa40b74d8bf8c786a35d09eb97cd Mon Sep 17 00:00:00 2001 +From: Yi Min Zhao +Date: Thu, 31 May 2018 11:29:37 +0800 +Subject: [PATCH] sandbox: disable -sandbox if CONFIG_SECCOMP undefined +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If CONFIG_SECCOMP is undefined, the option 'elevatedprivileges' remains +compiled. This would make libvirt set the corresponding capability and +then trigger failure during guest startup. This patch moves the code +regarding seccomp command line options to qemu-seccomp.c file and +wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP. +Because parse_sandbox() is moved into qemu-seccomp.c file, change +seccomp_start() to static function. + +Signed-off-by: Yi Min Zhao +Reviewed-by: Ján Tomko +Tested-by: Ján Tomko +Acked-by: Eduardo Otubo +(cherry picked from commit 9d0fdecbad130f01b602e35e87c6d3fad5821d6e) +[LD: BSC#1106222 CVE-2018-15746] +Signed-off-by: Larry Dewey +--- + qemu-seccomp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index 4729eb107f..5507d9c4ef 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -135,7 +135,6 @@ static uint32_t qemu_seccomp_get_kill_action(void) + return SCMP_ACT_TRAP; + } + +- + static int seccomp_start(uint32_t seccomp_opts) + { + int rc = 0; diff --git a/0046-seccomp-check-TSYNC-host-capability.patch b/0046-seccomp-check-TSYNC-host-capability.patch new file mode 100644 index 00000000..097eb18e --- /dev/null +++ b/0046-seccomp-check-TSYNC-host-capability.patch @@ -0,0 +1,68 @@ +From 79883c93023ec6d7b55cf2a3e91afcfda44e3a61 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Thu, 30 Aug 2018 16:33:48 +0200 +Subject: [PATCH] seccomp: check TSYNC host capability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove -sandbox option if the host is not capable of TSYNC, since the +sandbox will fail at setup time otherwise. This will help libvirt, for +ex, to figure out if -sandbox will work. + +Signed-off-by: Marc-André Lureau +Signed-off-by: Eduardo Otubo +Acked-by: Eduardo Otubo +(cherry picked from commit 5780760f5ea6163939a5dabe7427318b4f07d1a2) +[LD: BSC#1106222 CVE-2018-15746] +Signed-off-by: Larry Dewey +--- + qemu-seccomp.c | 19 ++++++++++++++++++- + vl.c | 4 ++-- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index 5507d9c4ef..1d94bdaf55 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -281,7 +281,24 @@ static QemuOptsList qemu_sandbox_opts = { + + static void seccomp_register(void) + { +- qemu_add_opts(&qemu_sandbox_opts); ++ bool add = false; ++ ++ /* FIXME: use seccomp_api_get() >= 2 check when released */ ++ ++#if defined(SECCOMP_FILTER_FLAG_TSYNC) ++ int check; ++ ++ /* check host TSYNC capability, it returns errno == ENOSYS if unavailable */ ++ check = qemu_seccomp(SECCOMP_SET_MODE_FILTER, ++ SECCOMP_FILTER_FLAG_TSYNC, NULL); ++ if (check < 0 && errno == EFAULT) { ++ add = true; ++ } ++#endif ++ ++ if (add) { ++ qemu_add_opts(&qemu_sandbox_opts); ++ } + } + opts_init(seccomp_register); + #endif +diff --git a/vl.c b/vl.c +index 3af5bcdc9e..a0295abb3e 100644 +--- a/vl.c ++++ b/vl.c +@@ -4015,8 +4015,8 @@ int main(int argc, char **argv, char **envp) + } + + #ifdef CONFIG_SECCOMP +- if (qemu_opts_foreach(qemu_find_opts("sandbox"), +- parse_sandbox, NULL, NULL)) { ++ olist = qemu_find_opts_err("sandbox", NULL); ++ if (olist && qemu_opts_foreach(olist, parse_sandbox, NULL, NULL)) { + exit(1); + } + #endif diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index ae2f9935..856ffd44 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Oct 5 16:52:18 UTC 2018 - Larry Dewey + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 +* Patches added: + 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch + 0043-configure-require-libseccomp-2.2.0.patch + 0044-seccomp-set-the-seccomp-filter-to-a.patch + 0045-sandbox-disable-sandbox-if-CONFIG_S.patch + 0046-seccomp-check-TSYNC-host-capability.patch + ------------------------------------------------------------------- Fri Sep 21 19:35:23 UTC 2018 - Bruce Rogers diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 3427554f..882d5835 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -72,6 +72,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch Patch0040: 0040-linux-headers-update.patch Patch0041: 0041-s390x-kvm-add-etoken-facility.patch +Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch +Patch0043: 0043-configure-require-libseccomp-2.2.0.patch +Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch +Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch +Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -144,6 +149,11 @@ syscall layer occurs on the native hardware and operating system. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index cfb2f818..addc2629 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Oct 5 16:52:15 UTC 2018 - Larry Dewey +* Adding changes to mitigate seccomp vulnerability + (CVE-2018-15746 bsc#1106222) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 +* Patches added: + 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch + 0043-configure-require-libseccomp-2.2.0.patch + 0044-seccomp-set-the-seccomp-filter-to-a.patch + 0045-sandbox-disable-sandbox-if-CONFIG_S.patch + 0046-seccomp-check-TSYNC-host-capability.patch + ------------------------------------------------------------------- Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 9f7338ac..eafba99c 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -177,6 +177,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch Patch0040: 0040-linux-headers-update.patch Patch0041: 0041-s390x-kvm-add-etoken-facility.patch +Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch +Patch0043: 0043-configure-require-libseccomp-2.2.0.patch +Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch +Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch +Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index cfb2f818..addc2629 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri Oct 5 16:52:15 UTC 2018 - Larry Dewey +* Adding changes to mitigate seccomp vulnerability + (CVE-2018-15746 bsc#1106222) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.0 +* Patches added: + 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch + 0043-configure-require-libseccomp-2.2.0.patch + 0044-seccomp-set-the-seccomp-filter-to-a.patch + 0045-sandbox-disable-sandbox-if-CONFIG_S.patch + 0046-seccomp-check-TSYNC-host-capability.patch + ------------------------------------------------------------------- Mon Sep 24 21:25:37 UTC 2018 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 399e73c2..817138da 100644 --- a/qemu.spec +++ b/qemu.spec @@ -177,6 +177,11 @@ Patch0038: 0038-xen-add-block-resize-support-for-xe.patch Patch0039: 0039-tests-boot-serial-test-Bump-timeout.patch Patch0040: 0040-linux-headers-update.patch Patch0041: 0041-s390x-kvm-add-etoken-facility.patch +Patch0042: 0042-seccomp-prefer-SCMP_ACT_KILL_PROCES.patch +Patch0043: 0043-configure-require-libseccomp-2.2.0.patch +Patch0044: 0044-seccomp-set-the-seccomp-filter-to-a.patch +Patch0045: 0045-sandbox-disable-sandbox-if-CONFIG_S.patch +Patch0046: 0046-seccomp-check-TSYNC-host-capability.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -924,6 +929,11 @@ This package provides a service file for starting and stopping KSM. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 pushd roms/seabios %patch1100 -p1