missing seccomp whitelist for qemu-kvm

Bug #1560149 reported by Simon Déziel on 2016-03-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)

Bug Description

Steps to reproduce:

1) set "seccomp_sandbox = 1" in /etc/libvirt/qemu.conf
2) restart libvirt-bin
3) create a guest using the attached .xml file
4) start the guest

Current behavior: the guest will remain in the "paused" state and fail to start because of this:

audit: type=1326 audit(1458582324.294:87): auid=4294967295 uid=114 gid=123 ses=4294967295 pid=17695 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" sig=31 arch=c000003e syscall=99 compat=0 ip=0x7fc47c3557d7 code=0x0

Expected behavior: the guest would start normally

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu6
ProcVersionSignature: Ubuntu 4.4.0-15.31-generic 4.4.6
Uname: Linux 4.4.0-15-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Mar 21 13:40:41 2016

SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]

Simon Déziel (sdeziel) wrote :
description: updated
Simon Déziel (sdeziel) wrote :

I'm attaching an even simpler guest definition that also fails to boot.

Simon Déziel (sdeziel) wrote :

I believe the seccomp whitelist is provided by qemu itself, not libvirt.

Changed in libvirt (Ubuntu):
status: New → Invalid
Eduardo Otubo (otubo) wrote :

Yes, that's correct. This syscall list is controlled and hard-coded inside Qemu. I'll send a patch in order to fix this issue.
Thanks for reporting.

Serge Hallyn (serge-hallyn) wrote :

Sounds like you need the sysinfo system call added. It's not there upstream, so I wonder whether that indicates there's a bug causing htat to be needed, or that noone upstream is using seccomp.

Simon Déziel (sdeziel) wrote :

The sysinfo syscall was discussed in https://lists.nongnu.org/archive/html/qemu-devel/2016-03/msg01365.html so upstream is aware of this at least and Eduardo being the qemu-seccomp maintainer is good.

@otubo, if you have a patch that needs testing please don't hesitate.

Simon Déziel (sdeziel) wrote :

The attached debdiff fixes the problem and built successfully in PPA.

Simon Déziel (sdeziel) wrote :

Seems I was too slow, thanks Serge!

Serge Hallyn (serge-hallyn) wrote :

Oops. Thanks, and thanks for the m-l link.

The attachment "lp1560149.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Simon Déziel (sdeziel) on 2016-04-12
Changed in qemu (Ubuntu):
status: New → Fix Committed
Mathew Hodson (mhodson) on 2016-04-12
no longer affects: libvirt (Ubuntu)
Changed in qemu (Ubuntu):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu7

qemu (1:2.5+dfsg-5ubuntu7) xenial; urgency=medium

  * Cherrypick patch from mailing list to fix qemu in sandbox. (LP: #1560149)

 -- Serge Hallyn <email address hidden> Mon, 11 Apr 2016 15:13:06 -0500

Changed in qemu (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers