seccomp: fix killing of whole process instead of thread

Back in 2018 we introduced support for killing the whole QEMU process
instead of just one thread, when a seccomp rule is violated:

  commit bda08a5764
  Author: Marc-André Lureau <marcandre.lureau@redhat.com>
  Date:   Wed Aug 22 19:02:48 2018 +0200

    seccomp: prefer SCMP_ACT_KILL_PROCESS if available

Fast forward a year and we introduced a patch to avoid killing the
process for resource control syscalls tickled by Mesa.

  commit 9a1565a03b
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Wed Mar 13 09:49:03 2019 +0000

    seccomp: don't kill process for resource control syscalls

Unfortunately a logic bug effectively reverted the first commit
mentioned so that we go back to only killing the thread, not the whole
process.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2020-09-11 15:18:32 +01:00 committed by Eduardo Otubo
parent 2d2c73d0e3
commit e474e3aacf

View File

@ -136,8 +136,9 @@ static uint32_t qemu_seccomp_get_action(int set)
if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
kill_process = 1; kill_process = 1;
} else {
kill_process = 0;
} }
kill_process = 0;
} }
if (kill_process == 1) { if (kill_process == 1) {
return SCMP_ACT_KILL_PROCESS; return SCMP_ACT_KILL_PROCESS;