1. 20 Jan, 2014 2 commits
    • Paul Moore's avatar
      seccomp: add some basic shared memory syscalls to the whitelist · 918b94e2
      Paul Moore authored
      PulseAudio requires the use of shared memory so add shmget(), shmat(),
      and shmdt() to the syscall whitelist.
      Reported-by: xuhan@redhat.com
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Paul Moore's avatar
      seccomp: add mkdir() and fchmod() to the whitelist · 0c2acb16
      Paul Moore authored
      The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
      "/run/user/<UID>/pulse" which is currently blocked by the syscall
      filter; this patch adds the two missing syscalls to the whitelist.
      You can reproduce this problem with the following command:
       # qemu -monitor stdio -device intel-hda -device hda-duplex
      If watched under strace the following syscalls are shown:
       mkdir("/run/user/0/pulse", 0700)
       fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]
      Reported-by: xuhan@redhat.com
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
  2. 20 Dec, 2013 1 commit
  3. 03 Dec, 2013 1 commit
  4. 24 Sep, 2013 1 commit
  5. 30 Jul, 2013 2 commits
  6. 26 Jul, 2013 2 commits
  7. 30 May, 2013 1 commit
  8. 19 Dec, 2012 1 commit
  9. 30 Nov, 2012 1 commit
  10. 16 Aug, 2012 1 commit
    • Eduardo Otubo's avatar
      Adding qemu-seccomp.[ch] (v8) · 2f668be7
      Eduardo Otubo authored
      Signed-off-by: default avatarEduardo Otubo <otubo@linux.vnet.ibm.com>
      Signed-off-by: default avatarAnthony Liguori <aliguori@us.ibm.com>
       - I added a syscall struct using priority levels as described in the
         libseccomp man page. The priority numbers are based to the frequency
         they appear in a sample strace from a regular qemu guest run under
         Libseccomp generates linear BPF code to filter system calls, those rules
         are read one after another. The priority system places the most common
         rules first in order to reduce the overhead when processing them.
      v1 -> v2:
       - Fixed some style issues
       - Removed code from vl.c and created qemu-seccomp.[ch]
       - Now using ARRAY_SIZE macro
       - Added more syscalls without priority/frequency set yet
      v2 -> v3:
       - Adding copyright and license information
       - Replacing seccomp_whitelist_count just by ARRAY_SIZE
       - Adding header protection to qemu-seccomp.h
       - Moving QemuSeccompSyscall definition to qemu-seccomp.c
       - Negative return from seccomp_start is fatal now.
       - Adding open() and execve() to the whitelis
      v3 -> v4:
       - Tests revealed a bigger set of syscalls.
       - seccomp_start() now has an argument to set the mode according to the
         configure option trap or kill.
      v4 -> v5:
       - Tests on x86_64 required a new specific set of system calls.
       - libseccomp release 1.0.0: part of the API have changed in this last
         release, had to adapt to the new function signatures.