[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] sandbox: Report error on forbidden system call
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH] sandbox: Report error on forbidden system call |
Date: |
Fri, 8 Feb 2013 14:51:16 +0000 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Fri, Feb 08, 2013 at 09:44:10AM -0500, Corey Bryant wrote:
>
>
> On 02/05/2013 06:02 AM, Michal Privoznik wrote:
> >Currently, it we call a not white listed system call, we get killed
> >immediately without reporting any error. It would be far more useful,
> >if we can at least shout something on stderr just before dying, so
> >users know it is because of sandbox, not just random quit.
> >
> >Signed-off-by: Michal Privoznik <address@hidden>
> >---
> > os-posix.c | 8 ++++++++
> > qemu-seccomp.c | 4 +++-
> > 2 files changed, 11 insertions(+), 1 deletion(-)
> >
> >diff --git a/os-posix.c b/os-posix.c
> >index 5c64518..1d52306 100644
> >--- a/os-posix.c
> >+++ b/os-posix.c
> >@@ -62,6 +62,12 @@ void os_setup_early_signal_handling(void)
> > sigaction(SIGPIPE, &act, NULL);
> > }
> >
> >+static void syssig_handler(int signal, siginfo_t *info, void *c)
> >+{
> >+ fprintf(stderr, "Bad system call\n");
> >+ exit(1);
> >+}
> >+
> > static void termsig_handler(int signal, siginfo_t *info, void *c)
> > {
> > qemu_system_killed(info->si_signo, info->si_pid);
> >@@ -77,6 +83,8 @@ void os_setup_signal_handling(void)
> > sigaction(SIGINT, &act, NULL);
> > sigaction(SIGHUP, &act, NULL);
> > sigaction(SIGTERM, &act, NULL);
> >+ act.sa_sigaction = syssig_handler;
> >+ sigaction(SIGSYS, &act, NULL);
> > }
> >
> > /* Find a likely location for support files using the location of the
> > binary.
> >diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> >index 031da1d..897d9b3 100644
> >--- a/qemu-seccomp.c
> >+++ b/qemu-seccomp.c
> >@@ -2,9 +2,11 @@
> > * QEMU seccomp mode 2 support with libseccomp
> > *
> > * Copyright IBM, Corp. 2012
> >+ * Copyright (C) 2013 Red Hat, Inc.
> > *
> > * Authors:
> > * Eduardo Otubo <address@hidden>
> >+ * Michal Privoznik <address@hidden>
> > *
> > * This work is licensed under the terms of the GNU GPL, version 2. See
> > * the COPYING file in the top-level directory.
> >@@ -238,7 +240,7 @@ int seccomp_start(void)
> > unsigned int i = 0;
> > scmp_filter_ctx ctx;
> >
> >- ctx = seccomp_init(SCMP_ACT_KILL);
> >+ ctx = seccomp_init(SCMP_ACT_TRAP);
> > if (ctx == NULL) {
> > goto seccomp_return;
> > }
> >
>
> Another thought.. When seccomp kills a task the exit status of the
> task will be SIGSYS. Here's the kernel documentation:
>
> SECCOMP_RET_KILL:
> Results in the task exiting immediately without executing the
> system call. The exit status of the task (status & 0x7f) will
> be SIGSYS, not SIGKILL.
>
> Maybe the right solution is for libvirt to check qemu's exit status
> and issue a message based on it?
QEMU is daemonized, so libvirt doesn't get to see the exit status at
all.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|