On Wed, Mar 22, 2017 at 07=28=12PM -0000, Simon Déziel wrote: > On 2017-03-22 03:08 PM, Eduardo Otubo wrote: > > I'm working on a completely refactoring of the seccomp feature in qemu: > > https://github.com/otubo/qemu/commits/seccomp-refactoring > > Nice. Since you are moving from whitelisting to blacklisting I don't > think that will be easy to backport/SRU but I'll leave it up to you. > > > These patches are intended to 2.9, but will be able to be backported. > > What's the urgency of this issue? Do you need a hotfix for it directly > > for 2.5 or can wait until my refactoring hits 2.9? > > There is no rush since we've been waiting since Trusty/2.0 already :) > We'll start our new Xenial/2.5 cluster without sandbox and we'll revisit > this once a SRU lands in Xenial. Please don't hesitate to ask me to test > something if that can help. Thanks for the prompt reply!
Sure! I'll have you on CC whenever I post my v2 patches on the mailing list so you can also keep track of this issue there. My plan is to release it mid next week. > > Regards, > Simon > > -- > You received this bug notification because you are subscribed to qemu in > Ubuntu. > Matching subscriptions: otubo > https://bugs.launchpad.net/bugs/1675114 > > Title: > QEMU seccomp sandbox missing a whitelist > > Status in qemu package in Ubuntu: > New > > Bug description: > We use Ganeti to spin QEMU/KVM VMs like this: > > 2017-03-22 12:40:57,002: ganeti-noded pid=14770 INFO RunCmd /usr/bin/kvm > -name test01.inet.hre.local -m 2048 -smp 1 -pidfile > /var/run/ganeti/kvm-hypervisor/pid/test01.inet.hre.local -balloon > virtio,id=balloon,bus=pci.0,addr=0x3 -daemonize -machine pc-i440fx-xenial > -monitor > unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.monitor,server,nowait > -serial > unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.serial,server,nowait > -usb -display none -chroot > /var/run/ganeti/kvm-hypervisor/chroot/test01.inet.hre.local -cpu > Haswell-noTSX -uuid d3de5e5b-ac6e-49f6-93c7-f7afdafc8760 -sandbox on -netdev > type=tap,id=hotnic-1225493e-pci-5,fd=10 -device > virtio-net-pci,mac=aa:00:00:66:9c:35,id=hotnic-1225493e-pci-5,bus=pci.0,addr=0x5,netdev=hotnic-1225493e-pci-5 > -qmp > unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.qmp,server,nowait > -qmp > unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.kvmd,server,nowait > -boot c -device > virtio-blk-pci,drive=hotdisk-a48d943e-pci-4,id=hotdisk-a48d943e-pci-4,bus=pci.0,addr=0x4 > -drive > file=/var/run/ganeti/instance-disks/test01.inet.hre.local:0,format=raw,if=none,cache=none,id=hotdisk-a48d943e-pci-4,bus=0,unit=4 > -S -runas kvm451 > 2017-03-22 12:43:59,391: ganeti-noded pid=5083 INFO Received signal 15 > asking for shutdown > > This fails due to the seccomp sandbox not letting this syscall: > > [Wed Mar 22 12:40:57 2017] audit: type=1326 audit(1490200857.157:19): > auid=4294967295 uid=0 gid=0 ses=4294967295 pid=14923 comm="qemu- > system-x86" exe="/usr/bin/qemu-system-x86_64" sig=31 arch=c000003e > syscall=161 compat=0 ip=0x7fd25f068b47 code=0x0 > > This happens right when the VM tries to start. It looks like > syscall=161 is sys_chroot. I suspect that the "-runas" feature will > also run into similar problems. > > I found [0] that adds the missing whitelist entries but was not > accepted upstream due to the commit messages being a bit of a mess > [1]. IMHO, this would be a useful addition. > > 0: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03167.html > 1: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg04060.html > > # lsb_release -rd > Description: Ubuntu 16.04.2 LTS > Release: 16.04 > > # apt-cache policy qemu-system-x86 linux-image-4.4.0-67-generic > qemu-system-x86: > Installed: 1:2.5+dfsg-5ubuntu10.9 > Candidate: 1:2.5+dfsg-5ubuntu10.9 > Version table: > *** 1:2.5+dfsg-5ubuntu10.9 500 > 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 > Packages > 100 /var/lib/dpkg/status > 1:2.5+dfsg-5ubuntu10.6 500 > 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 > Packages > 1:2.5+dfsg-5ubuntu10 500 > 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages > linux-image-4.4.0-67-generic: > Installed: 4.4.0-67.88 > Candidate: 4.4.0-67.88 > Version table: > *** 4.4.0-67.88 500 > 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 > Packages > 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 > Packages > 100 /var/lib/dpkg/status > > ProblemType: Bug > DistroRelease: Ubuntu 16.04 > Package: qemu-system-x86 1:2.5+dfsg-5ubuntu10.9 > ProcVersionSignature: Ubuntu 4.4.0-67.88-generic 4.4.49 > Uname: Linux 4.4.0-67-generic x86_64 > ApportVersion: 2.20.1-0ubuntu2.5 > Architecture: amd64 > Date: Wed Mar 22 12:59:14 2017 > InstallationDate: Installed on 2017-03-09 (12 days ago) > InstallationMedia: Ubuntu-Server 16.04.2 LTS "Xenial Xerus" - Release amd64 > (20170215.8) > Lsusb: > Bus 002 Device 002: ID 8087:8002 Intel Corp. > Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub > Bus 001 Device 003: ID 413c:a001 Dell Computer Corp. Hub > Bus 001 Device 002: ID 8087:800a Intel Corp. > Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub > MachineType: Dell Inc. PowerEdge R830 > ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-67-generic.efi.signed > root=/dev/mapper/vghost-root ro kernel.panic=300 > SourcePackage: qemu > UpgradeStatus: No upgrade log present (probably fresh install) > dmi.bios.date: 11/09/2016 > dmi.bios.vendor: Dell Inc. > dmi.bios.version: 1.3.4 > dmi.board.name: 0VVT0H > dmi.board.vendor: Dell Inc. > dmi.board.version: A01 > dmi.chassis.type: 23 > dmi.chassis.vendor: Dell Inc. > dmi.modalias: > dmi:bvnDellInc.:bvr1.3.4:bd11/09/2016:svnDellInc.:pnPowerEdgeR830:pvr:rvnDellInc.:rn0VVT0H:rvrA01:cvnDellInc.:ct23:cvr: > dmi.product.name: PowerEdge R830 > dmi.sys.vendor: Dell Inc. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1675114/+subscriptions -- Eduardo Otubo ProfitBricks GmbH -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675114 Title: QEMU seccomp sandbox missing a whitelist To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1675114/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
