Statistics
| Branch: | Revision:

root / qemu-seccomp.c @ 327ed10f

History | View | Annotate | Download (7.9 kB)

# Date Author Comment
918b94e2 01/20/2014 03:19 pm Paul Moore

seccomp: add some basic shared memory syscalls to the whitelist

PulseAudio requires the use of shared memory so add shmget(), shmat(),
and shmdt() to the syscall whitelist.

Reported-by:
Signed-off-by: Paul Moore <>
0c2acb16 01/20/2014 03:19 pm Paul Moore

seccomp: add mkdir() and fchmod() to the whitelist

The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
"/run/user/<UID>/pulse" which is currently blocked by the syscall
filter; this patch adds the two missing syscalls to the whitelist.
You can reproduce this problem with the following command:...
2a13f991 12/20/2013 08:38 pm Corey Bryant

seccomp: exit if seccomp_init() fails

This fixes a bug where we weren't exiting if seccomp_init() failed.

Signed-off-by: Corey Bryant <>
Acked-by: Eduardo Otubo <>
Acked-by: Paul Moore <>
e9eecb5b 12/03/2013 02:21 pm Paul Moore

seccomp: add kill() to the syscall whitelist

The kill() syscall is triggered with the following command:

  1. qemu -sandbox on -monitor stdio \
    -device intel-hda -device hda-duplex -vnc :0

The resulting syslog/audit message:

  1. ausearch -m SECCOMP...
c236f451 09/24/2013 09:15 pm Eduardo Otubo

seccomp: fine tuning whitelist by adding times()

This was causing Qemu process to hang when using -sandbox on as
discribed on RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1004175

Signed-off-by: Eduardo Otubo <>
Tested-by: Paul Moore <>...
94113bd8 07/30/2013 03:56 am Paul Moore

seccomp: add additional asynchronous I/O syscalls

A previous commit, "seccomp: add the asynchronous I/O syscalls to the
whitelist", added several asynchronous I/O syscalls but left out the
io_submit() and io_cancel() syscalls. This patch corrects this by...
d2509b66 07/30/2013 03:56 am Paul Moore

seccomp: add arch_prctl() to the syscall whitelist

It appears that even a very simple /etc/qemu-ifup configuration can
require the arch_prctl() syscall, see the example below:

#!/bin/sh
    /sbin/ifconfig $1 0.0.0.0 up
    /usr/sbin/brctl addif &lt;switch&gt; $1

Signed-off-by: Paul Moore <>...
7d7b2ad4 07/27/2013 12:54 am Eduardo Otubo

seccomp: no need to check arch in syscall whitelist

v2 update:
- set libseccomp 2.1.0 as requirement on configure script.

Since libseccomp 2.0 there's no need to check the architecture type
anymore.

Signed-off-by: Eduardo Otubo <>...
2fb861eb 07/27/2013 12:54 am Eduardo Otubo

seccomp: removing unused syscalls gtom whitelist

v3 update:
- reincluding getrlimit(), it is used by Xen.

v2 update:
- reincluding setrlimit(), it is used by Xen.

Signed-off-by: Eduardo Otubo <>
Reviewed-by: Paolo Bonzini <>...
fd21faad 05/30/2013 07:46 pm Paul Moore

seccomp: add the asynchronous I/O syscalls to the whitelist

In order to enable the asynchronous I/O functionality when using the
seccomp sandbox we need to add the associated syscalls to the
whitelist.

Signed-off-by: Paul Moore <>
Reviewed-by: Corey Bryant <>...
9c17d615 12/19/2012 09:32 am Paolo Bonzini

softmmu: move include files to include/sysemu/

Signed-off-by: Paolo Bonzini <>
fe512d65 11/30/2012 04:27 pm Eduardo Otubo

seccomp: adding new syscalls (bugzilla 855162)

According to the bug 8551620 - there's the need of adding new syscalls
to the whitelist when using Qemu with Libvirt.

[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162

Reported-by: Paul Moore <>...
2f668be7 08/16/2012 09:41 pm Eduardo Otubo

Adding qemu-seccomp.[ch] (v8)

Signed-off-by: Eduardo Otubo <>
Signed-off-by: Anthony Liguori <>
---
v1:
- I added a syscall struct using priority levels as described in the
libseccomp man page. The priority numbers are based to the frequency...