[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 4/5] seccomp: block use of clone3 syscall
From: |
Daniel P . Berrangé |
Subject: |
[PATCH 4/5] seccomp: block use of clone3 syscall |
Date: |
Mon, 2 Aug 2021 14:03:02 +0100 |
Modern glibc will use clone3 instead of clone, when it detects that it
is available. We need to compare flags in order to decide whether to
allow clone (thread create vs process fork), but in clone3 the flags
are hidden inside a struct. Seccomp can't currently match on data inside
a struct, so our only option is to block clone3 entirely. If we use
ENOSYS to block it, then glibc transparently falls back to clone.
This may need to be revisited if Linux adds a new architecture in
future and only provides clone3, without clone.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
softmmu/qemu-seccomp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/softmmu/qemu-seccomp.c b/softmmu/qemu-seccomp.c
index 57139cc9ce..a7bb5c350f 100644
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@@ -244,6 +244,10 @@ static const struct QemuSeccompSyscall denylist[] = {
RULE_CLONE_FLAG(CLONE_NEWPID),
RULE_CLONE_FLAG(CLONE_NEWNET),
RULE_CLONE_FLAG(CLONE_IO),
+#ifdef __SNR_clone3
+ { SCMP_SYS(clone3), QEMU_SECCOMP_SET_SPAWN,
+ 0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
+#endif
/* resource control */
{ SCMP_SYS(setpriority), QEMU_SECCOMP_SET_RESOURCECTL,
0, NULL, SCMP_ACT_ERRNO(EPERM) },
--
2.31.1
- [PATCH 0/5] seccomp: fix hole in blocking forks, Daniel P . Berrangé, 2021/08/02
- [PATCH 1/5] seccomp: allow action to be customized per syscall, Daniel P . Berrangé, 2021/08/02
- [PATCH 4/5] seccomp: block use of clone3 syscall,
Daniel P . Berrangé <=
- [PATCH 5/5] seccomp: block setns, unshare and execveat syscalls, Daniel P . Berrangé, 2021/08/02
- [PATCH 2/5] seccomp: add unit test for seccomp filtering, Daniel P . Berrangé, 2021/08/02
- [PATCH 3/5] seccomp: fix blocking of process spawning, Daniel P . Berrangé, 2021/08/02
- Re: [PATCH 0/5] seccomp: fix hole in blocking forks, Eduardo Terrell Ferrari Otubo, 2021/08/04