From aff4690dfe23b09249356a6c8beb17b9490eb13c Mon Sep 17 00:00:00 2001
From: Douglas Schilling Landgraf <dougsland@redhat.com>
Date: Tue, 9 Apr 2024 18:35:21 -0400
Subject: [PATCH] qm: add seccomp json also deny sched_setscheduler

Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
---
 qm.container |  2 +-
 rpm/qm.spec  |  1 +
 setup        | 31 +++++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/qm.container b/qm.container
index bebf60cc..d1d9c6f0 100644
--- a/qm.container
+++ b/qm.container
@@ -30,7 +30,7 @@ AddDevice=-/dev/fuse
 ContainerName=qm
 Exec=/sbin/init
 Network=host
-PodmanArgs=--pids-limit=-1 --security-opt label=nested --security-opt unmask=all
+PodmanArgs=--pids-limit=-1 --security-opt seccomp=/usr/share/qm/seccomp.json --security-opt label=nested --security-opt unmask=all
 ReadOnly=true
 # FIXME: QM is failing to start podman command
 # Add back once this ReadOnlyTmpfs added to quadlet
diff --git a/rpm/qm.spec b/rpm/qm.spec
index 62a737c2..0f66dfc4 100644
--- a/rpm/qm.spec
+++ b/rpm/qm.spec
@@ -64,6 +64,7 @@ BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %_selinux_policy_version
 BuildRequires: selinux-policy-devel >= %_selinux_policy_version
 
+Requires: containers-common
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
 Requires(post): selinux-policy-targeted >= %_selinux_policy_version
diff --git a/setup b/setup
index e5868f7b..67fa4448 100755
--- a/setup
+++ b/setup
@@ -142,6 +142,34 @@ create_rootfs_required_dirs() {
 
 }
 
+create_qm_seccomp_rules() {
+    TEMP_SECCOMP=$(mktemp)
+    SECCOMP_FILE_PATH="/usr/share/containers/seccomp.json"
+    QM_PATH_SECCOMP="/usr/share/qm/seccomp.json"
+
+    if [ ! -f "${SECCOMP_FILE_PATH}" ]; then
+        rm -f "${TEMP_SECCOMP}"
+        echo "Exiting... unable to find ${SECCOMP_FILE_PATH}"
+        exit 1
+    fi
+
+    # Copying original seccomp.json
+    cp "${SECCOMP_FILE_PATH}" "${QM_PATH_SECCOMP}"
+
+    # seccomp.json can be updated, we should get it from the source and adapt it.
+    echo "- Removing sched_setscheduler() as allowed syscall"
+    # make sure create a fresh seccomp.json for QM and remove allow permission for sched_setscheduler() syscall
+    jq --tab '(.syscalls[] | select(.names[] == "sched_setscheduler" and .action == "SCMP_ACT_ALLOW") .names) |= map(select(. != "sched_setscheduler"))' "${SECCOMP_FILE_PATH}" > "${TEMP_SECCOMP}"
+
+    echo "- Adding sched_setscheduler() into the deny list"
+    # Add sched_setscheduler to the deny list
+    jq --tab '.syscalls += [{"names": ["sched_setscheduler"], "action": "SCMP_ACT_ERRNO", "args": [], "errnoRet": 1, "errno": "EPERM"}]' "${TEMP_SECCOMP}" > "${QM_PATH_SECCOMP}"
+
+    rm -f "${TEMP_SECCOMP}"
+    echo -e "\ndone"
+
+}
+
 install() {
     ROOTFS=$1
     RWETCFS=$2
@@ -204,6 +232,9 @@ eval set --"${opts}"
 # main()
 root_check
 
+# Create a QM seccomp.json before start the QM daemon
+create_qm_seccomp_rules
+
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --installdir)