From: Yi Min Zhao <zyimin@linux.ibm.com>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 1/1] sandbox: avoid to compile options if CONFIG_SECCOMP undefined
Date: Wed, 9 May 2018 12:40:56 +0800 [thread overview]
Message-ID: <08334b5d-7bc3-befc-65af-0aae6d134e6d@linux.ibm.com> (raw)
In-Reply-To: <20180508103704.GK5967@redhat.com>
在 2018/5/8 下午6:37, Daniel P. Berrangé 写道:
> On Mon, May 07, 2018 at 01:04:17PM -0500, Eric Blake wrote:
>> On 05/06/2018 10:32 PM, Yi Min Zhao wrote:
>>
>> In the subject line: s/avoid to compile/avoid compiling/
>>
>>> If CONFIG_SECCOMP is undefined, the option 'elevatorprivileges' remains
>> s/elevator/elevate/
>>
>>> complied. This would make libvirt set the corresponding capability and
>> s/complied/compiled/
>>
>>> then trigger the guest startup fails. So let's wrap the options with
>>> CONFIG_SECCOMP.
>>>
>>> Signed-off-by: Yi Min Zhao <zyimin@linux.ibm.com>
>>> ---
>>> vl.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/vl.c b/vl.c
>>> index fce1fd12d8..cb07b19c02 100644
>>> --- a/vl.c
>>> +++ b/vl.c
>>> @@ -268,6 +268,7 @@ static QemuOptsList qemu_sandbox_opts = {
>>> .name = "enable",
>>> .type = QEMU_OPT_BOOL,
>>> },
>>> +#ifdef CONFIG_SECCOMP
>>> {
>>> .name = "obsolete",
>>> .type = QEMU_OPT_STRING,
>>> @@ -284,6 +285,7 @@ static QemuOptsList qemu_sandbox_opts = {
>>> .name = "resourcecontrol",
>>> .type = QEMU_OPT_STRING,
>>> },
>>> +#endif
>> The commit message mentions only 'elevateprivileges' (once the typo is
>> fixed), but you are also crippling 'obsolete', 'spawn', and
>> 'resourcecontrol'. Perhaps the commit message should call that out better?
>> Or, since libvirt is looking at just 'elevateprivileges', per this line in
>> libvirt's qemu_capabilities.c:
>>
>> src/qemu/qemu_capabilities.c: { "sandbox", "elevateprivileges",
>> QEMU_CAPS_SECCOMP_BLACKLIST },
>>
>> is it sufficient to just mask out that one option?
> If seccomp is disabled, we should really disable the entire -sandbox
> argument, not merly the options to it.
I think it would bring a lot of changes if disable the entire -sandbox
argument.
Looking from current code, sandbox is a default qemu option group, and
sandbox.enable is false by default unless you obviously define it with true.
So, this patch is an easier way to fixup.
>
> Regards,
> Daniel
next prev parent reply other threads:[~2018-05-09 4:41 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-07 3:32 [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest Yi Min Zhao
2018-05-07 3:32 ` [Qemu-devel] [PATCH 1/1] sandbox: avoid to compile options if CONFIG_SECCOMP undefined Yi Min Zhao
2018-05-07 10:31 ` Eduardo Otubo
2018-05-07 13:27 ` Yi Min Zhao
2018-05-07 18:04 ` Eric Blake
2018-05-07 22:18 ` Yi Min Zhao
2018-05-08 10:37 ` Daniel P. Berrangé
2018-05-09 4:40 ` Yi Min Zhao [this message]
2018-05-09 12:48 ` Eric Blake
2018-05-09 14:23 ` Ján Tomko
2018-05-07 9:29 ` [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest Christian Borntraeger
2018-05-07 10:33 ` Eduardo Otubo
2018-05-07 12:02 ` [Qemu-devel] [libvirt] " Ján Tomko
2018-05-07 12:12 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=08334b5d-7bc3-befc-65af-0aae6d134e6d@linux.ibm.com \
--to=zyimin@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).