Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz #1043521)

Changing streaming mode default to off for spice (bz #1038336) Fix qemu-img ceph dep (bz #1024781)
2013-12-18 12:13:47 -05:00 · 2013-12-18 12:13:47 -05:00 · 7a207f1857
parent 4b07b93c5a
commit 7a207f1857
3 changed files with 98 additions and 1 deletions
--- a/0322-seccomp-add-kill-to-the-syscall-whitelist.patch
+++ b/0322-seccomp-add-kill-to-the-syscall-whitelist.patch
@ -0,0 +1,42 @@
+From b16e5be879fd7386f0ad672ea02e3acee36d1e8e Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Thu, 21 Nov 2013 10:40:15 -0500
+Subject: [PATCH] seccomp: add kill() to the syscall whitelist
+
+The kill() syscall is triggered with the following command:
+
+ # qemu -sandbox on -monitor stdio \
+        -device intel-hda -device hda-duplex -vnc :0
+
+The resulting syslog/audit message:
+
+ # ausearch -m SECCOMP
+ ----
+ time->Wed Nov 20 09:52:08 2013
+ type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854
+  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087
+  comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0
+ # scmp_sys_resolver 62
+ kill
+
+Reported-by: CongLi <coli@redhat.com>
+Tested-by: CongLi <coli@redhat.com>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
+(cherry picked from commit e9eecb5bf82a71564bf018fcbbfc6cda19cab6c2)
+---
+ qemu-seccomp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index 4a57b4b..c85f608 100644
+--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
+@@ -121,6 +121,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
+     { SCMP_SYS(write), 244 },
+     { SCMP_SYS(fcntl), 243 },
+     { SCMP_SYS(tgkill), 242 },
+    { SCMP_SYS(kill), 242 },
+     { SCMP_SYS(rt_sigaction), 242 },
+     { SCMP_SYS(pipe2), 242 },
+     { SCMP_SYS(munmap), 242 },
--- a/0323-spice-flip-streaming-video-mode-to-off-by-default.patch
+++ b/0323-spice-flip-streaming-video-mode-to-off-by-default.patch
@ -0,0 +1,33 @@
+From 3bbf8ef814e238de967eb1ef90f63c23e1942ecd Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 2 Dec 2013 11:17:04 +0100
+Subject: [PATCH] spice: flip streaming video mode to off by default
+
+Video streaming detection heuristics in spice-server have problems
+keeping modern desktop animations (as done by gnome shell) and real
+video playback apart.  This leads to jpeg compression artefacts on
+your desktop, due to spice using mjpeg to send what it thinks is
+a video stream.
+
+Turn off video detection by default to avoid these artifacts.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Alon Levy <alevy@redhat.com>
+(cherry picked from commit f1d3e586f069e17f83b669842bc02d60d509daca)
+---
+ ui/spice-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index bcc4199..76e5dcd 100644
+--- a/ui/spice-core.c
+++ b/ui/spice-core.c
+@@ -764,6 +764,8 @@ void qemu_spice_init(void)
+     if (str) {
+         int streaming_video = parse_stream_video(str);
+         spice_server_set_streaming_video(spice_server, streaming_video);
+    } else {
+        spice_server_set_streaming_video(spice_server, SPICE_STREAM_VIDEO_OFF);
+     }
+ 
+     spice_server_set_agent_mouse
--- a/qemu.spec
+++ b/qemu.spec
@ -131,7 +131,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 1.4.2
-Release: 14%{?dist}
+Release: 15%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@ -308,6 +308,11 @@ Patch0319: 0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
 Patch0320: 0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
 # Fix process exit with -sandbox on (bz #1027421)
 Patch0321: 0321-seccomp-fine-tuning-whitelist-by-adding-times.patch
+# Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz
+# #1043521)
+Patch0322: 0322-seccomp-add-kill-to-the-syscall-whitelist.patch
+# Changing streaming mode default to off for spice (bz #1038336)
+Patch0323: 0323-spice-flip-streaming-video-mode-to-off-by-default.patch

 BuildRequires: SDL-devel
 BuildRequires: zlib-devel
@ -466,6 +471,13 @@ will install qemu-system-x86
 Summary: QEMU command line tool for manipulating disk images
 Group: Development/Tools

+# ceph added new symbol rbd_aio_flush which qemu wants to use, but ceph
+# lacks symbol versioning so RPM doesn't pick up the dependency.
+# Need to keep this for the lifetime of f19
+%if %{with rbd}
+Requires: ceph-libs >= 0.61
+%endif
+
 %description img
 This package provides a command line tool for manipulating disk images

@ -913,6 +925,11 @@ CAC emulation development files.
 %patch0320 -p1
 # Fix process exit with -sandbox on (bz #1027421)
 %patch0321 -p1
+# Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz
+# #1043521)
+%patch0322 -p1
+# Changing streaming mode default to off for spice (bz #1038336)
+%patch0323 -p1

 %build
 %if %{with kvmonly}
@ -1559,6 +1576,11 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Wed Dec 18 2013 Cole Robinson <crobinso@redhat.com> - 2:1.4.2-15
+- Add kill() to seccomp whitelist, fix AC97 with -sandbox on (bz #1043521)
+- Changing streaming mode default to off for spice (bz #1038336)
+- Fix qemu-img ceph dep (bz #1024781)
+
 * Sun Nov 17 2013 Cole Robinson <crobinso@redhat.com> - 2:1.4.2-14
 - Fix process exit with -sandbox on (bz #1027421)