motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-07 17:53:56 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

seccomp: fix blocking of process spawning

Browse source 
When '-sandbox on,spawn=deny' is given, we are supposed to block the
ability to spawn processes. We naively blocked the 'fork' syscall,
forgetting that any modern libc will use the 'clone' syscall instead.

We can't simply block the 'clone' syscall though, as that will break
thread creation. We thus list the set of flags used to create threads
and block anything that doesn't match this exactly.

Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2021-07-29 13:32:37 +01:00
parent d2ea8dac70
commit 5a2f693f07
2 changed files with 102 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tests/unit/test-seccomp.c
View file

@ -126,8 +126,7 @@ static int doit_fork(void)
static void test_seccomp_fork_on_nospawn(void)
{
/* XXX fixme - should be killed */
test_seccomp_passed("on,spawn=deny", doit_fork);
test_seccomp_killed("on,spawn=deny", doit_fork);
}
static void test_seccomp_fork_on(void)