seccomp: block use of clone3 syscall

Modern glibc will use clone3 instead of clone, when it detects that it is available. We need to compare flags in order to decide whether to allow clone (thread create vs process fork), but in clone3 the flags are hidden inside a struct. Seccomp can't currently match on data inside a struct, so our only option is to block clone3 entirely. If we use ENOSYS to block it, then glibc transparently falls back to clone. This may need to be revisited if Linux adds a new architecture in future and only provides clone3, without clone. Acked-by: Eduardo Otubo <otubo@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-07-29 16:43:01 +01:00 · 2021-07-29 16:43:01 +01:00 · c542b30270
parent 5a2f693f07
commit c542b30270
1 changed files with 4 additions and 0 deletions
--- a/softmmu/qemu-seccomp.c
+++ b/softmmu/qemu-seccomp.c
@ -244,6 +244,10 @@ static const struct QemuSeccompSyscall denylist[] = {
    RULE_CLONE_FLAG(CLONE_NEWPID),
    RULE_CLONE_FLAG(CLONE_NEWNET),
    RULE_CLONE_FLAG(CLONE_IO),
+#ifdef __SNR_clone3
+    { SCMP_SYS(clone3),                 QEMU_SECCOMP_SET_SPAWN,
+      0, NULL, SCMP_ACT_ERRNO(ENOSYS) },
+#endif
    /* resource control */
    { SCMP_SYS(setpriority),            QEMU_SECCOMP_SET_RESOURCECTL,
      0, NULL, SCMP_ACT_ERRNO(EPERM) },