From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40657) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z9r4z-0002E1-Ma for qemu-devel@nongnu.org; Tue, 30 Jun 2015 04:39:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z9r4v-0000pH-DD for qemu-devel@nongnu.org; Tue, 30 Jun 2015 04:39:45 -0400 Received: from mx1.redhat.com ([209.132.183.28]:38012) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z9r4v-0000ou-4I for qemu-devel@nongnu.org; Tue, 30 Jun 2015 04:39:41 -0400 Date: Tue, 30 Jun 2015 10:39:34 +0200 From: Andrew Jones Message-ID: <20150630083934.GA3016@hawk.localdomain> References: <1428670681-23032-1-git-send-email-peter.maydell@linaro.org> <2221708.PWP4RFdTZC@sifl> <20150629174729.GC3146@hawk.localdomain> <4050262.AavIzuNMzJ@sifl> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline In-Reply-To: <4050262.AavIzuNMzJ@sifl> Subject: Re: [Qemu-devel] [PATCH for-2.3] Revert seccomp tests that allow it to be used on non-x86 architectures List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paul Moore Cc: Peter Maydell , Marcus Meissner , Eduardo Otubo , Patch Tracking , Riku Voipio , Alexander Graf , QEMU Developers , Karl-Philipp Richter , Andreas =?iso-8859-1?Q?F=E4rber?= --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jun 29, 2015 at 04:24:55PM -0400, Paul Moore wrote: > On Monday, June 29, 2015 07:47:29 PM Andrew Jones wrote: > > On Mon, Jun 29, 2015 at 10:53:14AM -0400, Paul Moore wrote: > > > On Monday, June 29, 2015 09:50:17 AM Andrew Jones wrote: > > > > On Fri, Jun 26, 2015 at 04:26:22PM -0400, Paul Moore wrote: > > > > > Perhaps a stupid question, but you did verify that it is cacheflush > > > > > that > > > > > is causing the problem? The seccomp filter code will emit a message > > > > > to > > > > > syslog or the audit log, depending on your configuration, with the > > > > > syscall number. > > > > > > > > > > #./tools/scmp_sys_resolver -a arm cacheflush > > > > > 983042 > > > > > #./tools/scmp_sys_resolver -a arm 983042 > > > > > > > > I hadn't before (didn't know about the logging). I had determined the > > > > problem by running qemu in gdb. I just checked now though and confirmed > > > > it > > > > > > > > type=SECCOMP msg=audit(1435563996.731:2032): auid=1001 uid=1001 gid=1001 > > > > ses=157 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > > pid=27059 comm="qemu-system-arm" > > > > exe="/home/drjones/code/qemu/arm-softmmu/qemu-system-arm" sig=31 > > > > arch=40000028 syscall=983042 compat=0 ip=0xb6b43164 code=0x0 > > > > > > > > This log was generated even with the above patch applied to qemu. > > > > > > The only thing that comes to mind quickly is that the cacheflush() call is > > > being done by a thread that was created before the seccomp filter was > > > loaded into the kernel; although I believe you said you already checked > > > that. > > > > Nope, I hadn't, but I have now ... > > Actually, never mind on that, I was being stupid. If it was a different > thread it wouldn't be impacted by the seccomp filter at all ... > > > ... So we're calling __clear_cache from the same thread that called > > seccomp_start, and that thread dies the moment it calls the syscall. > > No other threads except id(2) at this time, which appears to be > > something created by __libc_start_main before main() runs. > > Hmm, so either the kernel is screwing up with the seccomp filter for this > particular syscall (unlikely) or libseccomp is screwing up the filter creation > (more likely). I don't have an ARM system handy at the moment, but could you > use the seccomp_export_pfc() and seccomp_export_bpf() functions to dump the > PFC/BPF filter code to a file and send it out? Attached > > > > If you are using a recent kernel and libseccomp you can try enabling the > > > SCMP_FLTATR_CTL_TSYNC attribute to apply the filter to all running threads > > > in the process. > > > > > > rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); > > > if (rc) > > > > > > /* error */ > > > > I tried this, but it error'ed out with rc == -95 (EOPNOTSUPP ?) > > My kernel version is 4.0.5-200.fc21.armv7hl+lpae > > That should be a recent enough kernel, but perhaps your version of libseccomp > was built against an older version of the kernel that didn't have the > necessary support (and it was disabled at compile time)? > I looked at the pfc file and compared all the syscalls in it vs. the list in qemu-seccomp.c. The pfc file is missing cacheflush, and has an 'UNKNOWN' instead. Also, I think there may be another problem with the filter (or pfc) generation. Several of the syscalls have weird syscall numbers. For example, I would expect mmap to be 90, but instead it's -10181. And, since there was something weird, and not related to cacheflush, in the arm32 pfc, I decided to check it on my mustang too. The output there gets "cacheflush" for the name instead of UNKNOWN, but has the same weird number (-10104) that the midway has. It also has several other weird numbers. The output from the mustang is in the attached tarball as well. Thanks, drew --YZ5djTAD1cGYuMQK Content-Type: application/x-xz Content-Disposition: attachment; filename="seccomp_filters.tar.xz" Content-Transfer-Encoding: base64 /Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4O//EjxdADmZSKUJi/FsxKqFWVC1KQO7uXU/41mv eAB48UgntZf4p9Loco3o7fKWVBFQFInPi7rpr94yXgrGWB1UOdVSYoh0PMA4OB/5GiN3RXaQ mOMhBVMh35a0UXAAd8JQekNocdMxo3xwYSCZ3livFBawy8Hhw/mCBgZz96mdrCigavOma8CS X9f1ZgPlM0PMFcyKuK4hYHjXYISg7mUnRuqD80AWHaDOtSVPmZWDa9aFx0iZZRXRlTaanul4 B8JGU5euobp6GRpdmYr1A7LY1f8GJYukhZwHnfB1ci422zfLSfLxSIzAu98Knhcvojcp2Nim HMZBzpHTo57vXIlYkzfmpK0i6KkDyv9BoL84VQc8CBF1SsKvRoAWR4p9x/TB2hGikZ893hDc z5L1siEGqrhIpJfJlLJFoSdjpn6TDkyiROSIeJAJlVFmfY+Rb0d1laTRJ8iCyiH81LNOlkp+ 2ahNi1TzjESkWUccUPB8uU0JUdp6zv/ewNiWCS7ZOFg/6deVdPwjC3KNbayBg8yyMSmey8Ov fiA7vs9ePfo7KoXlIku/a9jPsc11X3WLmzG44mczzQtX4zhWk0aH72EJlyleCMzkAs1qVnzS HA8KqAMAjfTP7bb/ODWLJgTDGMHtPINDlDnQQbA3pUbm7J+lYLfL9ZzO6nBokh97A/2l0B0p IjVhYx5TA5WruPVryTLNEjNSgWYMsqCMsw58MqPiHZZSb/xQyC0mb+3mwCZB7GjQIOmP3uFw zBIwBvrsPjtVkNcbsMr/2hnHDbMsL2xT6/jiViDvND+i36i4Lsu5apOJWdYiBqgzN1F9vdpm WxMQFaEH1Y9xCIRTuyrvXqtNa9Nwg4OBhHSrgdRLQJlcWVHSy6g39Zf85s/bsCQTnJoV6qeG alEo8lv8CCeguRzcT8fPZnJjFe2wn+FzIL+ftf4OUCbaNAVzufGGCP0pM3YodSeZ6aMhsrZ7 UuaNQjHCxrGsUvaO3JfjHiWgQ2dHDdMXpVmoJEPJQa3mV6MDJUmYCAod2TaPchIzR+BboxH/ SqbbKVKkYLZs3XQrWYJcHpvLe4+ufoaUckYeO50PnU8KPl2BNHuXOapnVf7vA4E9zdUrWTx1 1j+bRK/bpCNo70Tlre2x3b4FXeUKp1ACIG+xwO65mGXiR8aPbFYyg9kcJUkclwLr+638Akbh jjzYAagZVu/AQBjhFOfzvt0noF2JSmZwdc5iKYbe1Qge1f9y4hXoX1tmwLK7mqy8cybL0GMN 1aZ1UFbykf7Fs2u8pthdr1qYlSrR73q1fCVBC/QX4rE81Hgfoe7TOuPgarZlRWuRY4dXW4g1 Kr+vVhwn3IpbF+OFoTthLyZQ3xAGcFEDuUf7wpS9p0h7HTGdYUf/Ttz7xb3rwxWy+iPnuOaL 9UB0jk8herW4M0Aq1jIDvIzkdkyIETXG9mCOM5hdVEWeUBoFXLIMlxFWS+UUE6dffyLB0R3e PQgs3iM7FSKc73rzChtNzmo7CONimq30Z2dJW67FFQpuYgXBFvrdyqC3qkEQDq8Bz5PnFUuZ 5n5+aZBIgqBKlm139VBiGcRldGthxjBkA9T4KKdoFBi4oNTP02JgR0KuOpkxknT43WmgT4p2 6grqDS3PJPBv8UKY6Ck/Xd0bYBdghy1P2Hkg+7jDnq2JBPshwgTZ9gANXK1Mqpf8G40PbyuJ kkO4eBqi+cG+T7DJ3DmG0/JXqZATtQEQZhR2dNnpcM7ugtymRyRTRNQSNdLGOH0K1GuLqoal 3lrzYFe5B5zRpIvnARtV1RGlr2sdP27imFfujX4DYx6eEV3pGwW4W+jIn9JFj5B4tqUq+SOs RowvN7Itagw9PBU2VrYCn1aXKSEaJUZWd88K/aYICzHvPOyElT2USPUcA17vcs4Dc/18OjNW FBq4cRYSSBDiUWqXhuug2o3Xa4piIdDP1lw+CkzrdXVe2gff/E+JYs7lcMVAPOowdI7f8yHh QY66sZGI3nNNf8Z2PAnaAgcpNFC+XVjMlgKg8yoSQLucmpAdwinaZ17gRZlExhS1Ox7HX+Gi lHWR+TqhuW5eywU+ZdRagsrHN73MYa3PX2Zo+kdyuw9Lgl9b8G4e/gAK4sMszcDklWiLdG59 px0+e3wycYShw3n6GXEMTxAcXZWBfbpD6eBi3I+4xDFFHK1FicbLeMaAe3hTL4Z4Ve4UsMdf yW3+cElWFxC1N/P8WwS4yzQTdIkR1/6p+84xdO2/kzP3tdLGgAURTGk1WOtuLk8D8Kom/WaN AWhPWJtq6wNAhzZu69u8VEvYPZL/PiBnM6EChF6YX+q3wj5dxWPSOc/vUgfyoAM9l4E/rifa 31tK201NZKzfUtoyrb4BNlHBfAl5CEytxB2y/YFRq8d8aK8e4AyUJ6QlWZ7kI9IfMdvna9MH RMgGYR0SW5qVbivxdx5sK+bR7XshZaOhg1V1dTC4RPO6oYNqkMM/grarJMrxcQnPLuYhmuUm 99fjZEqp/OeQor61KRQC2WoSQG78ZO5OHDnNYq3hsRqSVgju7ppQ8RIdqhRNYkTN1/LixZjH /y9VCrClEl78hmQNzUga5if0SSISBjsPW1nmBwbSGSm8lVUD/+Nqfl+Hk+vvyLPNPNH36Ifg IWKaF4ggTX01wDC8UMO9QufkCDuQPlA2Fxm/QdrFp9H7+1F2Trvq+dkuplunOt97wyxVlq5V rTklaHdOkJcdoC8WUSxne326iwuIvpCx6Xtive7MVMkkvFu6PYk3bMIROU9lPHxsvEXtkqxQ fO7C4Mgub340qu3bjIYUFvBxowjeDfHJfMkQItDXv5+tp7B2f/AAhk8cfiYoAQDnk2VqhrfV Av1yOsRyos6nVsVF1QYz2POtJGIxulKQp8JDNuASk26YY7QiGF7XoDGQJTf9/gIKSOQRwjzO FCkfpzcsgh0X/Ka8o7GF0LwoILbSJF228iacGf4D7B4VE6xKq3B5pRpyW+X5Iyj7sS6dzwrm 62Y0avApULvoITCiamTa13iPS/jp7UhxX3VUQvNySubKagA5Ec4neZHDXBU1Stmc5PTVP/xb sQfrIp39G0M6SOWpwhZifX7fdzNhxoPdAVEr7KVcSG/96DvaOifb+04pDaAKKR2cLRn2+mZ0 o2aOTePVNBx0YJi1DIpGC2PbUtwJocs6qPFp+Oy0r8S5VyMpnBoMg9wI1xcMZvc0E06VEyE8 mGSD3zr+1FIxIlRjZOXYbxPoZ3VVmZhRnK6UjOFhMfj6XC8gtBUI6X3+29jCExoeQ1n2BlgU MuYi2Hnrwq1JhIg6OpVXUimhMHQ/RsCGa/T2pCc3jCvUGOtZ3oktTMEzshxQTdtqJI4QvPnf psqrawArrhT77NnP1FqBCWwjgr7ll3REJYP8btUGWaW+p/dndVsqtId5DmBeE+/H/ZQWwwOf GiJBFm46A978KU1pUNy2EWSpElTq/FDxzofAHbjCXY7l/8GXrv6xam3ATjdx7PL0uW7ijO+U WGUOHLilG6BOogw7+zWJZo31ljnGW1Vwt+Uc8SIzdmMBGbBg3K6DtBWxIyeudkeG2apy9VoD mjWCmtuLUNyt6/Wn4Ox+YpFa0iTSCfTehAkGd/r2hMIu+3R4XRxM+QPG4RHzy4zALtRxBDnR /DCEZ2KwgoQwVVFQ7Ogp4sJaK7KBoBUrAJhwo/NLOIw4vF6veZnHKe3plEI466VtD/xLEvOv hv+Si48kRP0WLzjsVkdEFZx1vXTYDnaTbUu1brkdNzGVYNlUPAt+ChX4zYM82VgAOjYCVaRk /fnudLqK3dJ4mvWyIWjw71cR4JwuGtNMjioyeac6K2FIKpNtSLWNz5Z9KBOyl1IxUyKCo8bv yz+G0Jl3BtJ4lhF5l+TGOfRJEbBNcxADr5hw8PkHsPZ4hC9LEm8J1JWso446DmMEbk6uwuSe dW9J7AidpXwweNx4JnvjXdk/xTVrHje0dMphqJgk+/AsyrdJ2fq4cg5PyT32Togt+G4aMoNG +g+EiKNsqmLEyb6IZ3r4LApev86H1I2naPuHuIOMz2n9ynvkt6JM5s5AcdTfAu5Q1gV9jrMB UkKOjk+8/+PfSBMKGymQIU/5oM5qMnPjdpwNlVyf/17cxHxuaompN24qsgw3N7JqMM4iP+hH Y3p49vQdA0rSsFF4FMyw790O99ncwCIsMRLc9y9rK/vPSZcmgTuLncfQ01KHbpVFJ9eN6NEJ 3lwcmrcQLm6QgheA3aABUDEo3frWeny4Ai/OnzbMvpcZ9RjGmr+N5zchnQLron1DaPY+LgA4 r2Q5Doz7kLM3fX3+DCC5I6NQWo2hWLqzqO94uiAR0jhNVL7gb6WOy0rHLYqMTwIp18fDbmJY ycEJRsgmV23Uw1d7V0x0y5YQWPGu9vaA9v+xCGwR2t2hg0b7s0w8ktpyZATXF8AywCUmCLRv yflrIbJWMVcnY6is0+SBif8evZI/2gjKqzOeVTduLWwQ/jmfhYW5j13tyeeznpb3A7kgqdZ1 5mWEXwVFVfJ8iXopAyn8Yr0LuWoVrINLAHBfAhKtdx5WNvvYyVed8x+2kvVdiwFywpH6ETVx sUv5xKmcceMn18DoQJ4QcEoS2768g7SI1ryFF7DAMtvelRakJjURRH4duoS2iJiH57V3W1Da ZvG1TW81fQHPbk0mnOx0LDNnN+8nBs118dUv3PhLaMM2TBP8ZNHO4YkMrij1hDtKrWcNA3aq +yXL4LdXc0TU4MXxOfDkzDo/5pMpNmQqc00QocAPyvMa0cipYQPV7XyGrngbAhc0iDV2uns8 4f5umOkSSTR5+2tfpIQMK2wrcBUepXW7klQBOm2PzMc7xf4gxheVH5gb1vT9lMyDfCX5ODkm /P23QxlnU8bNwCxh9ZVLGjFGUkQJqoaM4nf8at0MvxaTc1wtKMij2F1o4QPD6Hnu3siQz6mp CP1AYzOKzoBCgvBvVFsKbde7sPCM72qYGFm9LsvTwfdHVnph3ezPLt2K5FJmMqoAdOvzrXWV bxgWmpMN4wptyD5eoBqPZkaYxXaB1rymzCDn+YHDXC/igN90rRJxIFpubxb0b83WaQ+nYhD2 CLfv/cAip2Hb5mwQNW7LUjwZahlTYszYGKg/tgQSeiOQasfGgbKqL0W0CTuDQtVFMQecGDTg vCXEBiG+2HZeazIr/uUiyRwxXnCPFrRywLmK31xXLzb8QZHrputXgIdetRgX0yreGaJP3izO MFQ4Deu7gzZsPsQQVrnytKgY8aj5hepTl8r+QNjC28II1u+IsZdgUqAU0Veoa8uRQkAlELiJ Z+Eq2kpqQi0dZjtQhzg5oOKj+MyDtwQPKQl2m6g8sPwhN+4bKTBve8DVO+WVyuCVBUf9lCY7 VCzLAjDpISa8ZQXkUIqjuhKrvyi9tSh2vriZbAMLTXdAiBInx2L4h960MR9MRqefriDDfRLX 9H+CRmucFzsBdchor1pM4f+BygmsnIN5WS6hqI9oqrIhdmLBsQlQ6NXMfPE/55mMHPi/uzpU YqzrH0kLAuoWQL7SQJmNzbCOGwmoFCbIWZzBxuWao5dsgMOw2Nf2SMNDjyf8JWLJ66tx56H4 z9RSXg4tCMR8lkzJshFhdeWmUJpr6YJSfrpsHkOkz6tQjHXyXzwDICVj4P6FFX8KFJ3oxCN1 Os0cfztc/s/w9nV31khC8CZnZI2aAkvWvV3HlLx3s8IgKpGsOgg7iHNvpILaXOVG2tYrjSc8 KtEAunVY8V/HXak+b5bSzguu6kDW/5UjgUWjvrCQDyFVaGEoKy9cypErNftnGNO16U1xXJwA nFVEtsCsRmfWpUyu8MrJ+IOQgL2rJBL3YD3I5+smiI5bLcIQ7zi9cSqA+JMtBVc8CD4MGnPD UIL/ymW3AE58ZJMyDIKy7N5WGeAzduEaEym60R/5J7tlG1SHVuZsoo5K/wTY9SGWGOWT64Za QCPVoNhyaQb8kNecqY/i1JMgr5Sug6pEt2d6U1dLpbXi7Mah4efdN0RiBRo5sckZ3NelQBq4 JOVuHDeyDsPEQ3dnlGgENunMMINI7OLhHks30ckWMrDTaZXeXaSbL3C0oh76u7J9Pt0K1ce8 YGXpAcb/KulE1PMKgCdnCXpRjHA9OGtlEwzXANLp/XYxJBBDyV9WIKQIXl8TbTaHvv2xR3mu aUIpxvOK7sKdJUdJMih+HaJSlAf06/j4FOB7n3atCsm0wd47KTz6su2ZcYcCPNs5Fe0o3Bo2 UACTMI2j20BcfAAB2CSA4AMAA/bvZrHEZ/sCAAAAAARZWg== --YZ5djTAD1cGYuMQK--