qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: pmoore@redhat.com, aliguori@us.ibm.com, wad@chromium.org,
	coreyb@linux.vnet.ibm.com, blauwirbel@gmail.com,
	Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH v7 4/4] Command line support for seccomp with -sandbox
Date: Tue, 14 Aug 2012 18:44:08 -0300	[thread overview]
Message-ID: <1344980648-18723-5-git-send-email-otubo@linux.vnet.ibm.com> (raw)
In-Reply-To: <1344980648-18723-1-git-send-email-otubo@linux.vnet.ibm.com>

v7:
 * New in v7
 * The seccomp filter can be switched on and off using the command line
   option "-sandbox", the default value is off.

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 qemu-config.c   |   13 +++++++++++++
 qemu-config.h   |    1 +
 qemu-options.hx |   10 ++++++++++
 vl.c            |   17 +++++++++--------
 4 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/qemu-config.c b/qemu-config.c
index 5c3296b..b1e2277 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -362,6 +362,18 @@ static QemuOptsList qemu_global_opts = {
     },
 };
 
+QemuOptsList qemu_sandbox_opts = {
+    .name = "sandbox",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_sandbox_opts.head),
+    .desc = {
+        {
+            .name = "sandbox",
+            .type = QEMU_OPT_BOOL,
+        },
+        { /* end of list */ }
+    },
+};
+
 static QemuOptsList qemu_mon_opts = {
     .name = "mon",
     .implied_opt_name = "chardev",
@@ -641,6 +653,7 @@ static QemuOptsList *vm_config_groups[32] = {
     &qemu_machine_opts,
     &qemu_boot_opts,
     &qemu_iscsi_opts,
+    &qemu_sandbox_opts,
     NULL,
 };
 
diff --git a/qemu-config.h b/qemu-config.h
index 12ddf3e..5557562 100644
--- a/qemu-config.h
+++ b/qemu-config.h
@@ -6,6 +6,7 @@
 extern QemuOptsList qemu_fsdev_opts;
 extern QemuOptsList qemu_virtfs_opts;
 extern QemuOptsList qemu_spice_opts;
+extern QemuOptsList qemu_sandbox_opts;
 
 QemuOptsList *qemu_find_opts(const char *group);
 QemuOptsList *qemu_find_opts_err(const char *group, Error **errp);
diff --git a/qemu-options.hx b/qemu-options.hx
index 47cb5bd..a26f640 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2720,6 +2720,16 @@ STEXI
 Old param mode (ARM only).
 ETEXI
 
+#ifdef CONFIG_SECCOMP
+DEF("sandbox", 0, QEMU_OPTION_sandbox, \
+    "-sandbox        Enable Seccomp mode 2 system call filter. Default value is disabled,\n", QEMU_ARCH_ALL)
+STEXI
+@item -sandbox
+@findex -sandbox
+Enable Seccomp mode 2 system call filter. Default value is disabled,
+ETEXI
+#endif
+
 DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig,
     "-readconfig <file>\n", QEMU_ARCH_ALL)
 STEXI
diff --git a/vl.c b/vl.c
index 2c62efc..775b6af 100644
--- a/vl.c
+++ b/vl.c
@@ -2304,14 +2304,6 @@ int main(int argc, char **argv, char **envp)
     const char *trace_events = NULL;
     const char *trace_file = NULL;
 
-#ifdef CONFIG_SECCOMP
-    if (seccomp_start() < 0) {
-        fprintf(stderr,
-                "seccomp: failed to install syscall filter in the kernel\n");
-        exit(1);
-    }
-#endif
-
     atexit(qemu_run_exit_notifiers);
     error_set_progname(argv[0]);
 
@@ -3215,6 +3207,15 @@ int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_qtest_log:
                 qtest_log = optarg;
                 break;
+#ifdef CONFIG_SECCOMP
+            case QEMU_OPTION_sandbox:
+                if (seccomp_start() < 0) {
+                    fprintf(stderr,
+                            "seccomp: failed to install syscall filter in the kernel\n");
+                    exit(1);
+                }
+                break;
+#endif
             default:
                 os_parse_cmd_args(popt->index, optarg);
             }
-- 
1.7.1

      parent reply	other threads:[~2012-08-14 21:44 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-14 21:44 [Qemu-devel] [PATCH v7 0/4] Sandboxing Qemu guests with Libseccomp Eduardo Otubo
2012-08-14 21:44 ` [Qemu-devel] [PATCH v7 1/4] Adding support for libseccomp in configure and Makefile Eduardo Otubo
2012-08-14 21:44 ` [Qemu-devel] [PATCH v7 2/4] Adding qemu-seccomp.[ch] Eduardo Otubo
2012-08-14 21:44 ` [Qemu-devel] [PATCH v7 3/4] Adding seccomp calls to vl.c Eduardo Otubo
2012-08-14 21:44 ` Eduardo Otubo [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1344980648-18723-5-git-send-email-otubo@linux.vnet.ibm.com \
    --to=otubo@linux.vnet.ibm.com \
    --cc=aliguori@us.ibm.com \
    --cc=blauwirbel@gmail.com \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=pmoore@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=wad@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).