libusb calls timerfd_create() and timerfd_settime() when it's built with
timerfd support.

Command to reproduce:

       -device usb-host,hostbus=1,hostaddr=3,id=hostdev0

Log messages:

audit(1390730418.924:135): auid=4294967295 uid=121 gid=103 ses=4294967295
                           pid=5232 comm="qemu-system-x86" sig=31 syscall=283
                           compat=0 ip=0x7f2b0f4e96a7 code=0x0
audit(1390733100.580:142): auid=4294967295 uid=121 gid=103 ses=4294967295
                           pid=16909 comm="qemu-system-x86" sig=31 syscall=286
                           compat=0 ip=0x7f03513a06da code=0x0

Reading a few hundred MB from a USB drive on x86_64 shows this syscall distribution.
Therefore the timerfd_settime priority is set to 242.

    calls  syscall
 --------- ----------------
   5303600 write
   2240554 read
   2167030 ppoll
   2134828 ioctl
    704023 timerfd_settime
    689105 poll
     83122 futex
       803 writev
       476 rt_sigprocmask
       287 recvmsg
       178 brk
Signed-off-by: NFelix Geyer <debfx@fobos.de>
Signed-off-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>

PulseAudio requires the use of shared memory so add shmget(), shmat(),
and shmdt() to the syscall whitelist.

Reported-by: xuhan@redhat.com
Signed-off-by: NPaul Moore <pmoore@redhat.com>

The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
"/run/user/<UID>/pulse" which is currently blocked by the syscall
filter; this patch adds the two missing syscalls to the whitelist.
You can reproduce this problem with the following command:

 # qemu -monitor stdio -device intel-hda -device hda-duplex

If watched under strace the following syscalls are shown:

 mkdir("/run/user/0/pulse", 0700)
 fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]

Reported-by: xuhan@redhat.com
Signed-off-by: NPaul Moore <pmoore@redhat.com>

This fixes a bug where we weren't exiting if seccomp_init() failed.
Signed-off-by: NCorey Bryant <coreyb@linux.vnet.ibm.com>
Acked-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Acked-by: NPaul Moore <pmoore@redhat.com>

The kill() syscall is triggered with the following command:

 # qemu -sandbox on -monitor stdio \
        -device intel-hda -device hda-duplex -vnc :0

The resulting syslog/audit message:

 # ausearch -m SECCOMP
 ----
 time->Wed Nov 20 09:52:08 2013
 type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087
  comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0
 # scmp_sys_resolver 62
 kill
Reported-by: NCongLi <coli@redhat.com>
Tested-by: NCongLi <coli@redhat.com>
Signed-off-by: NPaul Moore <pmoore@redhat.com>
Acked-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>

This was causing Qemu process to hang when using -sandbox on as
discribed on RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1004175Signed-off-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Tested-by: NPaul Moore <pmoore@redhat.com>
Acked-by: NPaul Moore <pmoore@redhat.com>

It appears that even a very simple /etc/qemu-ifup configuration can
require the arch_prctl() syscall, see the example below:

	#!/bin/sh
	/sbin/ifconfig $1 0.0.0.0 up
	/usr/sbin/brctl addif <switch> $1
Signed-off-by: NPaul Moore <pmoore@redhat.com>
Reviewed-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Message-id: 20130718135703.8247.19213.stgit@localhost
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

A previous commit, "seccomp: add the asynchronous I/O syscalls to the
whitelist", added several asynchronous I/O syscalls but left out the
io_submit() and io_cancel() syscalls.  This patch corrects this by
adding the two missing asynchronous I/O syscalls.
Signed-off-by: NPaul Moore <pmoore@redhat.com>
Reviewed-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Message-id: 20130715193201.943.4913.stgit@localhost
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

v3 update:
 - reincluding getrlimit(), it is used by Xen.

v2 update:
 - reincluding setrlimit(), it is used by Xen.
Signed-off-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1374518017-10424-3-git-send-email-otubo@linux.vnet.ibm.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

v2 update:
- set libseccomp 2.1.0 as requirement on configure script.

Since libseccomp 2.0 there's no need to check the architecture type
anymore.
Signed-off-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1374518017-10424-2-git-send-email-otubo@linux.vnet.ibm.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

In order to enable the asynchronous I/O functionality when using the
seccomp sandbox we need to add the associated syscalls to the
whitelist.
Signed-off-by: NPaul Moore <pmoore@redhat.com>
Reviewed-by: NCorey Bryant <coreyb@linux.vnet.ibm.com>
Message-id: 20130529203001.20939.83322.stgit@localhost
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist when using Qemu with Libvirt.

[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162Reported-by: NPaul Moore <pmoore@redhat.com>
Tested-by: NPaul Moore <pmoore@redhat.com>
Signed-off-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: NCorey Bryant <coreyb@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NEduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
---
v1:
 - I added a syscall struct using priority levels as described in the
   libseccomp man page. The priority numbers are based to the frequency
   they appear in a sample strace from a regular qemu guest run under
   libvirt.

   Libseccomp generates linear BPF code to filter system calls, those rules
   are read one after another. The priority system places the most common
   rules first in order to reduce the overhead when processing them.

v1 -> v2:
 - Fixed some style issues
 - Removed code from vl.c and created qemu-seccomp.[ch]
 - Now using ARRAY_SIZE macro
 - Added more syscalls without priority/frequency set yet

v2 -> v3:
 - Adding copyright and license information
 - Replacing seccomp_whitelist_count just by ARRAY_SIZE
 - Adding header protection to qemu-seccomp.h
 - Moving QemuSeccompSyscall definition to qemu-seccomp.c
 - Negative return from seccomp_start is fatal now.
 - Adding open() and execve() to the whitelis

v3 -> v4:
 - Tests revealed a bigger set of syscalls.
 - seccomp_start() now has an argument to set the mode according to the
   configure option trap or kill.

v4 -> v5:
 - Tests on x86_64 required a new specific set of system calls.
 - libseccomp release 1.0.0: part of the API have changed in this last
   release, had to adapt to the new function signatures.