Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1689246 - seccomp "spawn" blacklist needs to include clone() with certain arguments
Summary: seccomp "spawn" blacklist needs to include clone() with certain arguments
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: qemu-kvm
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Eduardo Otubo
QA Contact: Chao Yang
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-15 14:03 UTC by Daniel Berrange
Modified: 2019-04-06 23:20 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Daniel Berrange 2019-03-15 14:03:29 UTC
Description of problem:
The QEMU "spawn" blacklist in seccomp is supposed to prevent QEMU from spawning new processes. It does this by blocking fork & vfork. Unfortunately modern C libraries don't use these syscalls for spawning processes. Instead they use "clone".

Thus to block process forking we need to block clone. The complexity is that clone is also used to create new threads, so we can't block it unconditionally.

We need to block it only when used with the flags that indicate creation of a new processes, as opposed to thread.

I think this can be achieved by blocking a clone() syscall if neither CLONE_VM or CLONE_THREAD are present - both of these flags are used when creating threads.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Not sure there's an easy way to demo this problem without hacking QEMU code.

Note You need to log in before you can comment on or make changes to this bug.