7a207f1857
Changing streaming mode default to off for spice (bz #1038336) Fix qemu-img ceph dep (bz #1024781)
43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
From b16e5be879fd7386f0ad672ea02e3acee36d1e8e Mon Sep 17 00:00:00 2001
|
|
From: Paul Moore <pmoore@redhat.com>
|
|
Date: Thu, 21 Nov 2013 10:40:15 -0500
|
|
Subject: [PATCH] seccomp: add kill() to the syscall whitelist
|
|
|
|
The kill() syscall is triggered with the following command:
|
|
|
|
# qemu -sandbox on -monitor stdio \
|
|
-device intel-hda -device hda-duplex -vnc :0
|
|
|
|
The resulting syslog/audit message:
|
|
|
|
# ausearch -m SECCOMP
|
|
----
|
|
time->Wed Nov 20 09:52:08 2013
|
|
type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854
|
|
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087
|
|
comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0
|
|
# scmp_sys_resolver 62
|
|
kill
|
|
|
|
Reported-by: CongLi <coli@redhat.com>
|
|
Tested-by: CongLi <coli@redhat.com>
|
|
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
Acked-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
|
|
(cherry picked from commit e9eecb5bf82a71564bf018fcbbfc6cda19cab6c2)
|
|
---
|
|
qemu-seccomp.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
|
index 4a57b4b..c85f608 100644
|
|
--- a/qemu-seccomp.c
|
|
+++ b/qemu-seccomp.c
|
|
@@ -121,6 +121,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
|
{ SCMP_SYS(write), 244 },
|
|
{ SCMP_SYS(fcntl), 243 },
|
|
{ SCMP_SYS(tgkill), 242 },
|
|
+ { SCMP_SYS(kill), 242 },
|
|
{ SCMP_SYS(rt_sigaction), 242 },
|
|
{ SCMP_SYS(pipe2), 242 },
|
|
{ SCMP_SYS(munmap), 242 },
|