Re: [Qemu-devel] [PATCH] seccomp: allow sched_setscheduler() with SCHED_IDLE policy

Wed, 11 Jul 2018 07:49:51 -0700 

On 10/07/2018 - 16:55:57, Marc-André Lureau wrote:
> Current and upcoming mesa releases rely on a shader disk cash. It uses
> a thread job queue with low priority, set with
> sched_setscheduler(SCHED_IDLE). However, that syscall is rejected by
> the "resourcecontrol" seccomp qemu filter.
> 
> Since it should be safe to allow lowering thread priority, let's allow
> scheduling thread to idle policy.
> 
> Related to:
> https://bugzilla.redhat.com/show_bug.cgi?id=1594456
> 
> Signed-off-by: Marc-André Lureau <[email protected]>
> ---
>  qemu-seccomp.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 148e4c6f24..9cd8eb9499 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -34,6 +34,12 @@
>  struct QemuSeccompSyscall {
>      int32_t num;
>      uint8_t set;
> +    uint8_t narg;
> +    const struct scmp_arg_cmp *arg_cmp;
> +};
> +
> +const struct scmp_arg_cmp sched_setscheduler_arg[] = {
> +    SCMP_A1(SCMP_CMP_NE, SCHED_IDLE)
>  };
>  
>  static const struct QemuSeccompSyscall blacklist[] = {
> @@ -92,7 +98,8 @@ static const struct QemuSeccompSyscall blacklist[] = {
>      { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL },
>      { SCMP_SYS(sched_setparam),         QEMU_SECCOMP_SET_RESOURCECTL },
>      { SCMP_SYS(sched_getparam),         QEMU_SECCOMP_SET_RESOURCECTL },
> -    { SCMP_SYS(sched_setscheduler),     QEMU_SECCOMP_SET_RESOURCECTL },
> +    { SCMP_SYS(sched_setscheduler),     QEMU_SECCOMP_SET_RESOURCECTL,
> +      ARRAY_SIZE(sched_setscheduler_arg), sched_setscheduler_arg },
>      { SCMP_SYS(sched_getscheduler),     QEMU_SECCOMP_SET_RESOURCECTL },
>      { SCMP_SYS(sched_setaffinity),      QEMU_SECCOMP_SET_RESOURCECTL },
>      { SCMP_SYS(sched_getaffinity),      QEMU_SECCOMP_SET_RESOURCECTL },
> @@ -118,7 +125,8 @@ static int seccomp_start(uint32_t seccomp_opts)
>              continue;
>          }
>  
> -        rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);
> +        rc = seccomp_rule_add_array(ctx, SCMP_ACT_KILL, blacklist[i].num,
> +                                    blacklist[i].narg, blacklist[i].arg_cmp);
>          if (rc < 0) {
>              goto seccomp_return;
>          }
> -- 
> 2.18.0.129.ge3331758f1
> 

Acked-by: Eduardo Otubo <[email protected]>

Patch looks safe enough for me. If everyone else is OK with this I'll send a
pull-request tomorrow morning.

Attachment: signature.asc
Description: PGP signature

Reply via email to