Qemu fails silently with exit code 1 when using daemonize and the sandbox option elevateprivileges=deny. This behavior got introduced by 0546c0609cb5a8d90c1cbac8e0d64b5a048bbb19 where the sandbox options gets parsed and enforced *before* daemonizing. Since the os_daemonize libc-call uses the syscall setsid, qemu gets killed by the signal 13 (SIGSYS).
The documentation (https://qemu.readthedocs.io/en/latest/system/security.html#isolation-mechanisms) states that sanboxing "[...] disables system calls that are not needed by QEMU[...]", but setsid obviously is needed.
What I expected:
- a hint in the documentation of the flags that elevateprivileges AND daemonize contradict -or-
- working combination
Reproducer:
$ qemu-system-x86_64 -sandbox on,elevateprivileges=deny -daemonize
Package: 1:6.2+dfsg-2ubuntu5
Ubuntu Version: 22.04 (Jammy Jellyfish)
dmesg:
[ 181.064898] audit: type=1326 audit(1646924855.830:13): auid=0 uid=0 gid=0 ses=1 subj=? pid=3622 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" sig=31 arch=c000003e syscall=112 compat=0 ip=0x7f725964f40b code=0x80000000
Coredump:
PID: 4402 (qemu-system-x86)
UID: 0 (root)
GID: 0 (root)
Signal: 31 (SYS)
Timestamp: Thu 2022-03-10 15:10:37 UTC (37s ago)
Command Line: qemu-system-x86_64 -sandbox on,elevateprivileges=deny -daemonize
Executable: /usr/bin/qemu-system-x86_64
Control Group: /user.slice/user-0.slice/session-1.scope
Unit: session-1.scope
Slice: user-0.slice
Session: 1
Owner UID: 0 (root)
Boot ID: 3cdf72ff261640e3a3f9e887d159bb2a
Machine ID: 72874f2d047d4c87887abbc727924413
Hostname: raphael-20220310-145731
Storage: /var/lib/systemd/coredump/core.qemu-system-x86.0.3cdf72ff261640e3a3f9e887d159bb2a.4402.1646925037000000.zst (present)
Disk Size: 405.6K
Message: Process 4402 (qemu-system-x86) of user 0 dumped core.
Found module linux-vdso.so.1 with build-id: aea445f382fbc134b3bc979d61dd291e78bea882
Found module libcrypto.so.3 with build-id: 16bbb788a98f53a5cd5ce19936946a279603f77a
Found module liblzma.so.5 with build-id: 3eeacec54c1e109d7486961e9b56c01023dd492e
Found module libpcre2-8.so.0 with build-id: 730c613f1746c1ddfca8a4420385ac363e86e2a2
Found module libblkid.so.1 with build-id: cdf95a964e3302bb356fefc4b801fae8c4340b31
Found module libkmod.so.2 with build-id: c8ac4bc8d0fe03ceb8cad8d24484c5cbad9daf5a
Found module libuuid.so.1 with build-id: 64c0d0cb22fa2bdeca075a0c0418ba5ff314b220
Found module libnl-route-3.so.200 with build-id: 0d1ec15c789fe7cc860df8d8d2004a6c7b03c2a3
Found module libnl-3.so.200 with build-id: 63256316bd1135d4745d740781b42ca55f77a24f
Found module libpcre.so.3 with build-id: 56ddb828685e501f1498130d1cc7f51c242554c1
Found module libffi.so.8 with build-id: 59c2a6b204f74f358ca7711d2dfd349d88711f6a
Found module libselinux.so.1 with build-id: 2195967b677f320e35e0cdafe08a4713bc2a95e8
Found module libmount.so.1 with build-id: eeb33f2b4b9c3eb0a29575eb9932ef08663bd836
Found module libdaxctl.so.1 with build-id: f7dfbca3d72bc7ba36d6b60a28119269f2504db2
Found module libndctl.so.6 with build-id: 22fb97cc03c9bc2e81c12c5e1f82973cfea86338
Found module libgmp.so.10 with build-id: f110719303ddbea25a5e89ff730fec520eed67b0
Found module libhogweed.so.6 with build-id: 01a0b20878b525a7a33197fc23b738654682f3c4
Found module libtasn1.so.6 with build-id: efacd0b1b8ccb481fcb501cf76cf07cb2c444d45
Found module libunistring.so.2 with build-id: ca5149da8d5a298b8f286ffca3d6e2402ec0fe01
Found module libidn2.so.0 with build-id: f477d28cad4d54daee0070cd4949f0487ac93afc
Found module libp11-kit.so.0 with build-id: 6e579cbca24932056e99bb54557cd5a1234811ea
Found module ld-linux-x86-64.so.2 with build-id: c83a452679d23179c2ddd07c5c25d182e54908df
Found module libc.so.6 with build-id: 094a2d85f72e893d0c15a66812d51d5493e30860
Found module libgcc_s.so.1 with build-id: 443a1e5dd16a55fd142e5e5fcdc544ba2052dda0
Found module libm.so.6 with build-id: a9832e9d3a777fc99a89d92e359eec6395deca29
Found module libaio.so.1 with build-id: a21eb19f17dd68947804f035aa6c27cd73a70439
Found module libfuse3.so.3 with build-id: d45830188e873e270f28ab91f11e6fc7d7b2159c
Found module libnettle.so.8 with build-id: 89ee6d2af3edfaf90640d96b94afcef1e43d74a2
Found module libgmodule-2.0.so.0 with build-id: d64002b7a12e58f579eecf952daeb61435f8f343
Found module liburing.so.2 with build-id: 976771a582fd2e5c62faff76c026b09eaf3335a0
Found module libudev.so.1 with build-id: ffd1278cf71c4c9c09bac7cdefac3d58b9e1d1f8
Found module libslirp.so.0 with build-id: ccb8518051352845e15c5702d534bfb703b683d3
Found module libzstd.so.1 with build-id: b5600f7bc62e7915ed7199c8c486e3ff3af0ce16
Found module libibverbs.so.1 with build-id: b562c2bac28667351afdd7bd49ac534d118c4f6e
Found module librdmacm.so.1 with build-id: 72f988fe1f74a0241f65f4cd16ed26df6279920c
Found module libglib-2.0.so.0 with build-id: fb79c175ac99bf40796a1e2c66c4e2bd24aaeeaa
Found module libgobject-2.0.so.0 with build-id: bb28703f64aac29648fdf9ee790291dc2e8f309d
Found module libgio-2.0.so.0 with build-id: 8061f2c2287fdb8e35f0dcd0d8cd37f1628478f8
Found module libnuma.so.1 with build-id: 0bc332b68b3900db9579c7e29fd534de7250b43e
Found module libfdt.so.1 with build-id: 6f636bd87d7fabc7e33e0bb5f813e9c457f65095
Found module libseccomp.so.2 with build-id: 50e714eb138a4a1a38f41f084aefb51d6a9ebf1c
Found module libpmem.so.1 with build-id: dee04fd8f01a6c80d81a2e9eec986a30c459ab32
Found module libsasl2.so.2 with build-id: 562c038e4a5a2196c9c085cd1f9276e3641399a6
Found module libgnutls.so.30 with build-id: 843b60988232157225bc1f0a293321992abd107b
Found module libjpeg.so.8 with build-id: c54abff9294357e28532a76a049a4cb2542fc15b
Found module libpng16.so.16 with build-id: 44f16132c2457c1289f64093e541ed4036be19ec
Found module libz.so.1 with build-id: ef650611451904165e9caf6080ecbaad50b84d3f
Found module libpixman-1.so.0 with build-id: da7de7a61faeedaec7d25546ac1b0a9d4f141651
Found module qemu-system-x86_64 with build-id: 5cb2521c24e8f3bd7d22a87f13fafc0ba539a8b4
Stack trace of thread 4402:
#0 0x00007faf4337d40b setsid (libc.so.6 + 0xf040b)
#1 0x000055afe3467128 os_daemonize (qemu-system-x86_64 + 0x848128)
#2 0x000055afe3314fe3 qemu_init (qemu-system-x86_64 + 0x6f5fe3)
#3 0x000055afe3008fdd main (qemu-system-x86_64 + 0x3e9fdd)
#4 0x00007faf432bad90 n/a (libc.so.6 + 0x2dd90)
#5 0x00007faf432bae40 __libc_start_main (libc.so.6 + 0x2de40)
#6 0x000055afe300b955 _start (qemu-system-x86_64 + 0x3ec955)
Stack trace of thread 4403:
#0 0x00007faf433b7b6d n/a (libc.so.6 + 0x12ab6d)
Hi Raphael,
Thank you for your report - I can confirm your finding and agree that it would be nicer to either work or be better documented.
The change introducing it was first in v6.0.0 and thereby Impish and later are affected (I updated the bug tasks to reflect hat).
This case isn't Ubuntu only and IMHO not severe enough to add patches on top of just our builds. The best path forward I'd think is to report the very same upstream [1] and report the opened issue here. We can then track an upstream fix to this and apply it to Ubuntu as well from there.
[1]: https:/ /gitlab. com/qemu- project/ qemu/-/ issues? sort=created_ date&state= opened