qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-2.3] Revert seccomp tests that allow it to b


From: Andrew Jones
Subject: Re: [Qemu-devel] [PATCH for-2.3] Revert seccomp tests that allow it to be used on non-x86 architectures
Date: Fri, 26 Jun 2015 18:03:18 +0200
User-agent: Mutt/1.5.23.1 (2014-03-12)

On Tue, Jun 16, 2015 at 02:16:03PM +0100, Peter Maydell wrote:
> On 16 June 2015 at 14:12, Andrew Jones <address@hidden> wrote:
> > Can we now revert this revert, along with bumping the non-x86 arch
> > atleast-version to v2.2.1
> 
> Probably. I suggest you submit a patch and test it on the
> relevant architectures and seccomp versions.
>

I don't see any problems with the light testing (booting a guest)
I've done on my mustang, but AArch64 worked with libseccomp 2.2.0
too. So I dusted off my Midway (updated to Fedora 21 that has
libseccomp 2.2.1 packaged), and gave it a try, but unfortunately
it still doesn't work...

I found that we needed to add another syscall to the whitelist;
the arm-private 'cacheflush', as it's used by __builtin___clear_cache.
And, from libseccomp's git history it appears that syscall is known

commit a710a2d246bdc73ba77e3ff5624e790688cc51fd
Author: Paul Moore <address@hidden>
Date:   Wed May 6 12:05:45 2015 -0400

    arm: add some missing syscalls
    
    Add the following syscalls to the ARM arch/ABI and update the syscall
    validation script.
    
     * breakpoint()
     * cacheflush()
     * usr26()
     * usr32()
     * set_tls()
    
    Reported-by: Purcareata Bogdan <address@hidden>
    Signed-off-by: Paul Moore <address@hidden>


And also appears to be in 2.2.1
$ git describe a710a2d246bdc73ba77e3ff5624e790688cc51fd
v2.2.0-10-ga710a2d246bdc

However the qemu thread that makes that syscall still dies, even
with this patch

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index f9de0d3390feb..33644a4e3c3d3 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -237,7 +237,8 @@ static const struct QemuSeccompSyscall
seccomp_whitelist[] = {
     { SCMP_SYS(fadvise64), 240 },
     { SCMP_SYS(inotify_init1), 240 },
     { SCMP_SYS(inotify_add_watch), 240 },
-    { SCMP_SYS(mbind), 240 }
+    { SCMP_SYS(mbind), 240 },
+    { SCMP_SYS(cacheflush), 240 },
 };
 
 int seccomp_start(void)


Paul, can you help me figure out what I'm missing?

Thanks,
drew



reply via email to

[Prev in Thread] Current Thread [Next in Thread]