diff options
| author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2018-08-22 19:02:47 +0200 |
|---|---|---|
| committer | Eduardo Otubo <otubo@redhat.com> | 2018-08-23 16:45:20 +0200 |
| commit | 6f2231e9b0931e1998d9ed0c509adf7aedc02db2 (patch) | |
| tree | 62e40bd7df6af9eae13d636c65b111ae72621022 /qemu-seccomp.c | |
| parent | 3392fbee4e435658733bbe9aab23392660558b59 (diff) | |
| download | focaccia-qemu-6f2231e9b0931e1998d9ed0c509adf7aedc02db2.tar.gz focaccia-qemu-6f2231e9b0931e1998d9ed0c509adf7aedc02db2.zip | |
seccomp: use SIGSYS signal instead of killing the thread
The seccomp action SCMP_ACT_KILL results in immediate termination of the thread that made the bad system call. However, qemu being multi-threaded, it keeps running. There is no easy way for parent process / management layer (libvirt) to know about that situation. Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP will terminate the program and core dump. This may not be the most secure solution, but probably better than just killing the offending thread. SCMP_ACT_KILL_PROCESS has been added in Linux 4.14 to improve the situation, which I propose to use by default if available in the next patch. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1594456 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Acked-by: Eduardo Otubo <otubo@redhat.com>
Diffstat (limited to 'qemu-seccomp.c')
| -rw-r--r-- | qemu-seccomp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 9cd8eb9499..b117a92559 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -125,7 +125,7 @@ static int seccomp_start(uint32_t seccomp_opts) continue; } - rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num, + rc = seccomp_rule_add_array(ctx, SCMP_ACT_TRAP, blacklist[i].num, blacklist[i].narg, blacklist[i].arg_cmp); if (rc < 0) { goto seccomp_return; |