Message ID | 20141217205009.28322.63696.stgit@localhost |
---|---|
State | New |
Headers | show |
On Wed, Dec 17, 2014 at 03:50:09PM -0500, Paul Moore wrote: > The "memory-backend-ram" QOM object utilizes the mbind(2) syscall to > set the policy for a memory range. Add the syscall to the seccomp > sandbox whitelist. > > Signed-off-by: Paul Moore <pmoore@redhat.com> Tested-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> > --- > qemu-seccomp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index af6a375..b0c6269 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -235,7 +235,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { > { SCMP_SYS(fallocate), 240 }, > { SCMP_SYS(fadvise64), 240 }, > { SCMP_SYS(inotify_init1), 240 }, > - { SCMP_SYS(inotify_add_watch), 240 } > + { SCMP_SYS(inotify_add_watch), 240 }, > + { SCMP_SYS(mbind), 240 } > }; > > int seccomp_start(void) > >
On Wed, Dec 17, 2014 at 03:50:09PM -0500, Paul Moore wrote: > The "memory-backend-ram" QOM object utilizes the mbind(2) syscall to > set the policy for a memory range. Add the syscall to the seccomp > sandbox whitelist. > > Signed-off-by: Paul Moore <pmoore@redhat.com> > --- > qemu-seccomp.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index af6a375..b0c6269 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -235,7 +235,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { > { SCMP_SYS(fallocate), 240 }, > { SCMP_SYS(fadvise64), 240 }, > { SCMP_SYS(inotify_init1), 240 }, > - { SCMP_SYS(inotify_add_watch), 240 } > + { SCMP_SYS(inotify_add_watch), 240 }, > + { SCMP_SYS(mbind), 240 } > }; > > int seccomp_start(void) > Acked-by: Eduardo Otubo <eduardo.otubo@profitbricks.com> I have a minor fix already in plan, so I'll do a pull request tomorrow by the end of the day. Thanks for the patch.
diff --git a/qemu-seccomp.c b/qemu-seccomp.c index af6a375..b0c6269 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -235,7 +235,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { { SCMP_SYS(fallocate), 240 }, { SCMP_SYS(fadvise64), 240 }, { SCMP_SYS(inotify_init1), 240 }, - { SCMP_SYS(inotify_add_watch), 240 } + { SCMP_SYS(inotify_add_watch), 240 }, + { SCMP_SYS(mbind), 240 } }; int seccomp_start(void)
The "memory-backend-ram" QOM object utilizes the mbind(2) syscall to set the policy for a memory range. Add the syscall to the seccomp sandbox whitelist. Signed-off-by: Paul Moore <pmoore@redhat.com> --- qemu-seccomp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)