From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60922) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z8W6E-0001IS-EO for qemu-devel@nongnu.org; Fri, 26 Jun 2015 12:03:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z8W69-0003MQ-V1 for qemu-devel@nongnu.org; Fri, 26 Jun 2015 12:03:30 -0400 Received: from mx1.redhat.com ([209.132.183.28]:58369) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z8W69-0003M6-Q8 for qemu-devel@nongnu.org; Fri, 26 Jun 2015 12:03:25 -0400 Date: Fri, 26 Jun 2015 18:03:18 +0200 From: Andrew Jones Message-ID: <20150626160318.GC3215@hawk.localdomain> References: <1428670681-23032-1-git-send-email-peter.maydell@linaro.org> <20150616131237.GF4428@hawk.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [Qemu-devel] [PATCH for-2.3] Revert seccomp tests that allow it to be used on non-x86 architectures List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell Cc: Marcus Meissner , Karl-Philipp Richter , Patch Tracking , Riku Voipio , QEMU Developers , Alexander Graf , Paul Moore , Eduardo Otubo , Andreas =?iso-8859-1?Q?F=E4rber?= On Tue, Jun 16, 2015 at 02:16:03PM +0100, Peter Maydell wrote: > On 16 June 2015 at 14:12, Andrew Jones wrote: > > Can we now revert this revert, along with bumping the non-x86 arch > > atleast-version to v2.2.1 > > Probably. I suggest you submit a patch and test it on the > relevant architectures and seccomp versions. > I don't see any problems with the light testing (booting a guest) I've done on my mustang, but AArch64 worked with libseccomp 2.2.0 too. So I dusted off my Midway (updated to Fedora 21 that has libseccomp 2.2.1 packaged), and gave it a try, but unfortunately it still doesn't work... I found that we needed to add another syscall to the whitelist; the arm-private 'cacheflush', as it's used by __builtin___clear_cache. And, from libseccomp's git history it appears that syscall is known commit a710a2d246bdc73ba77e3ff5624e790688cc51fd Author: Paul Moore Date: Wed May 6 12:05:45 2015 -0400 arm: add some missing syscalls Add the following syscalls to the ARM arch/ABI and update the syscall validation script. * breakpoint() * cacheflush() * usr26() * usr32() * set_tls() Reported-by: Purcareata Bogdan Signed-off-by: Paul Moore And also appears to be in 2.2.1 $ git describe a710a2d246bdc73ba77e3ff5624e790688cc51fd v2.2.0-10-ga710a2d246bdc However the qemu thread that makes that syscall still dies, even with this patch diff --git a/qemu-seccomp.c b/qemu-seccomp.c index f9de0d3390feb..33644a4e3c3d3 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -237,7 +237,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { { SCMP_SYS(fadvise64), 240 }, { SCMP_SYS(inotify_init1), 240 }, { SCMP_SYS(inotify_add_watch), 240 }, - { SCMP_SYS(mbind), 240 } + { SCMP_SYS(mbind), 240 }, + { SCMP_SYS(cacheflush), 240 }, }; int seccomp_start(void) Paul, can you help me figure out what I'm missing? Thanks, drew