Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz #1043521)
Changing streaming mode default to off for spice (bz #1038336) Fix qemu-img ceph dep (bz #1024781)
This commit is contained in:
parent
4b07b93c5a
commit
7a207f1857
|
@ -0,0 +1,42 @@
|
|||
From b16e5be879fd7386f0ad672ea02e3acee36d1e8e Mon Sep 17 00:00:00 2001
|
||||
From: Paul Moore <pmoore@redhat.com>
|
||||
Date: Thu, 21 Nov 2013 10:40:15 -0500
|
||||
Subject: [PATCH] seccomp: add kill() to the syscall whitelist
|
||||
|
||||
The kill() syscall is triggered with the following command:
|
||||
|
||||
# qemu -sandbox on -monitor stdio \
|
||||
-device intel-hda -device hda-duplex -vnc :0
|
||||
|
||||
The resulting syslog/audit message:
|
||||
|
||||
# ausearch -m SECCOMP
|
||||
----
|
||||
time->Wed Nov 20 09:52:08 2013
|
||||
type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854
|
||||
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087
|
||||
comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0
|
||||
# scmp_sys_resolver 62
|
||||
kill
|
||||
|
||||
Reported-by: CongLi <coli@redhat.com>
|
||||
Tested-by: CongLi <coli@redhat.com>
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
|
||||
(cherry picked from commit e9eecb5bf82a71564bf018fcbbfc6cda19cab6c2)
|
||||
---
|
||||
qemu-seccomp.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
||||
index 4a57b4b..c85f608 100644
|
||||
--- a/qemu-seccomp.c
|
||||
+++ b/qemu-seccomp.c
|
||||
@@ -121,6 +121,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
||||
{ SCMP_SYS(write), 244 },
|
||||
{ SCMP_SYS(fcntl), 243 },
|
||||
{ SCMP_SYS(tgkill), 242 },
|
||||
+ { SCMP_SYS(kill), 242 },
|
||||
{ SCMP_SYS(rt_sigaction), 242 },
|
||||
{ SCMP_SYS(pipe2), 242 },
|
||||
{ SCMP_SYS(munmap), 242 },
|
|
@ -0,0 +1,33 @@
|
|||
From 3bbf8ef814e238de967eb1ef90f63c23e1942ecd Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 2 Dec 2013 11:17:04 +0100
|
||||
Subject: [PATCH] spice: flip streaming video mode to off by default
|
||||
|
||||
Video streaming detection heuristics in spice-server have problems
|
||||
keeping modern desktop animations (as done by gnome shell) and real
|
||||
video playback apart. This leads to jpeg compression artefacts on
|
||||
your desktop, due to spice using mjpeg to send what it thinks is
|
||||
a video stream.
|
||||
|
||||
Turn off video detection by default to avoid these artifacts.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Alon Levy <alevy@redhat.com>
|
||||
(cherry picked from commit f1d3e586f069e17f83b669842bc02d60d509daca)
|
||||
---
|
||||
ui/spice-core.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/ui/spice-core.c b/ui/spice-core.c
|
||||
index bcc4199..76e5dcd 100644
|
||||
--- a/ui/spice-core.c
|
||||
+++ b/ui/spice-core.c
|
||||
@@ -764,6 +764,8 @@ void qemu_spice_init(void)
|
||||
if (str) {
|
||||
int streaming_video = parse_stream_video(str);
|
||||
spice_server_set_streaming_video(spice_server, streaming_video);
|
||||
+ } else {
|
||||
+ spice_server_set_streaming_video(spice_server, SPICE_STREAM_VIDEO_OFF);
|
||||
}
|
||||
|
||||
spice_server_set_agent_mouse
|
24
qemu.spec
24
qemu.spec
|
@ -131,7 +131,7 @@
|
|||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 1.4.2
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
|
@ -308,6 +308,11 @@ Patch0319: 0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
|
|||
Patch0320: 0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
|
||||
# Fix process exit with -sandbox on (bz #1027421)
|
||||
Patch0321: 0321-seccomp-fine-tuning-whitelist-by-adding-times.patch
|
||||
# Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz
|
||||
# #1043521)
|
||||
Patch0322: 0322-seccomp-add-kill-to-the-syscall-whitelist.patch
|
||||
# Changing streaming mode default to off for spice (bz #1038336)
|
||||
Patch0323: 0323-spice-flip-streaming-video-mode-to-off-by-default.patch
|
||||
|
||||
BuildRequires: SDL-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
@ -466,6 +471,13 @@ will install qemu-system-x86
|
|||
Summary: QEMU command line tool for manipulating disk images
|
||||
Group: Development/Tools
|
||||
|
||||
# ceph added new symbol rbd_aio_flush which qemu wants to use, but ceph
|
||||
# lacks symbol versioning so RPM doesn't pick up the dependency.
|
||||
# Need to keep this for the lifetime of f19
|
||||
%if %{with rbd}
|
||||
Requires: ceph-libs >= 0.61
|
||||
%endif
|
||||
|
||||
%description img
|
||||
This package provides a command line tool for manipulating disk images
|
||||
|
||||
|
@ -913,6 +925,11 @@ CAC emulation development files.
|
|||
%patch0320 -p1
|
||||
# Fix process exit with -sandbox on (bz #1027421)
|
||||
%patch0321 -p1
|
||||
# Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz
|
||||
# #1043521)
|
||||
%patch0322 -p1
|
||||
# Changing streaming mode default to off for spice (bz #1038336)
|
||||
%patch0323 -p1
|
||||
|
||||
%build
|
||||
%if %{with kvmonly}
|
||||
|
@ -1559,6 +1576,11 @@ getent passwd qemu >/dev/null || \
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 18 2013 Cole Robinson <crobinso@redhat.com> - 2:1.4.2-15
|
||||
- Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz #1043521)
|
||||
- Changing streaming mode default to off for spice (bz #1038336)
|
||||
- Fix qemu-img ceph dep (bz #1024781)
|
||||
|
||||
* Sun Nov 17 2013 Cole Robinson <crobinso@redhat.com> - 2:1.4.2-14
|
||||
- Fix process exit with -sandbox on (bz #1027421)
|
||||
|
||||
|
|
Loading…
Reference in New Issue