seccomp: fix blocking of process spawning

When '-sandbox on,spawn=deny' is given, we are supposed to block the ability to spawn processes. We naively blocked the 'fork' syscall, forgetting that any modern libc will use the 'clone' syscall instead. We can't simply block the 'clone' syscall though, as that will break thread creation. We thus list the set of flags used to create threads and block anything that doesn't match this exactly. Acked-by: Eduardo Otubo <otubo@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
author: Daniel P. Berrangé 2021-07-29 14:32:37 +0200
committer: Daniel P. Berrangé 2022-02-16 19:52:40 +0100
commit: 5a2f693f07a1e93ada5277b2fb1530b2698be0fa (patch)
tree: 9f5c4a900665ecc50e45c18bd00d2405c9183a57 /tests
parent: seccomp: add unit test for seccomp filtering (diff)
download: qemu-5a2f693f07a1e93ada5277b2fb1530b2698be0fa.tar.gz
qemu-5a2f693f07a1e93ada5277b2fb1530b2698be0fa.tar.xz
qemu-5a2f693f07a1e93ada5277b2fb1530b2698be0fa.zip
1 files changed, 1 insertions, 2 deletions
diff --git a/tests/unit/test-seccomp.c b/tests/unit/test-seccomp.c
index 10ab3e8fe5..3d7771e46c 100644
--- a/tests/unit/test-seccomp.c
+++ b/tests/unit/test-seccomp.c
@@ -126,8 +126,7 @@ static int doit_fork(void)
 
 static void test_seccomp_fork_on_nospawn(void)
 {
-    /* XXX fixme - should be killed */
-    test_seccomp_passed("on,spawn=deny", doit_fork);
+    test_seccomp_killed("on,spawn=deny", doit_fork);
 }
 
 static void test_seccomp_fork_on(void)
author	Daniel P. Berrangé	2021-07-29 14:32:37 +0200
committer	Daniel P. Berrangé	2022-02-16 19:52:40 +0100
commit	5a2f693f07a1e93ada5277b2fb1530b2698be0fa (patch)
tree	9f5c4a900665ecc50e45c18bd00d2405c9183a57 /tests
parent	seccomp: add unit test for seccomp filtering (diff)
download	qemu-5a2f693f07a1e93ada5277b2fb1530b2698be0fa.tar.gz qemu-5a2f693f07a1e93ada5277b2fb1530b2698be0fa.tar.xz qemu-5a2f693f07a1e93ada5277b2fb1530b2698be0fa.zip