[Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Eduardo Otubo]

Right now seccomp is breaking the compilation of Qemu on armv7l due
to libsecomp current lack of support for this arch. This problem is
already fixed on libseccomp upstream but no release date for that is
scheduled to far. This patch disables support for seccomp on armv7l
temporarily until libseccomp does a new release. Then I'll remove the
hack and update libseccomp dependency on configure script.

Related bug: https://bugs.launchpad.net/qemu/+bug/1363641

Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 2f17bf3..2ec04b0 100755
--- a/configure
+++ b/configure
@@ -1822,7 +1822,7 @@ fi
 ##########################################
 # libseccomp check
 
-if test "$seccomp" != "no" ; then
+if test "$seccomp" != "no" && test "$cpu" != "arm" ; then
     if $pkg_config --atleast-version=2.1.0 libseccomp; then
         libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
         QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
-- 
1.9.1

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Peter Maydell]

On 5 November 2014 16:47, Eduardo Otubo <eduardo.otubo@profitbricks.com> wrote:
> Right now seccomp is breaking the compilation of Qemu on armv7l due
> to libsecomp current lack of support for this arch. This problem is
> already fixed on libseccomp upstream but no release date for that is
> scheduled to far. This patch disables support for seccomp on armv7l
> temporarily until libseccomp does a new release. Then I'll remove the
> hack and update libseccomp dependency on configure script.
>
> Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
>
> Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> ---
>  configure | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/configure b/configure
> index 2f17bf3..2ec04b0 100755
> --- a/configure
> +++ b/configure
> @@ -1822,7 +1822,7 @@ fi
>  ##########################################
>  # libseccomp check
>
> -if test "$seccomp" != "no" ; then
> +if test "$seccomp" != "no" && test "$cpu" != "arm" ; then
>      if $pkg_config --atleast-version=2.1.0 libseccomp; then
>          libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
>          QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"

Do we really support all the other CPU architectures, or would
we be better off with a whitelist like:

if test "$cpu" = i386 || test "$cpu" = x86_64; then

?

It seems to me like you'll have exactly the same problem with
any other architecture that happens not to implement a syscall
in your list.

(How are upstream proposing to fix this anyway? I couldn't
figure that out from the mailing list thread.)

thanks
-- PMM

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Paul Moore]

On Wednesday, November 05, 2014 05:08:20 PM Peter Maydell wrote:
> On 5 November 2014 16:47, Eduardo Otubo wrote:
> > Right now seccomp is breaking the compilation of Qemu on armv7l due
> > to libsecomp current lack of support for this arch. This problem is
> > already fixed on libseccomp upstream but no release date for that is
> > scheduled to far. This patch disables support for seccomp on armv7l
> > temporarily until libseccomp does a new release. Then I'll remove the
> > hack and update libseccomp dependency on configure script.
> > 
> > Related bug: https://bugs.launchpad.net/qemu/+bug/1363641

...

> (How are upstream proposing to fix this anyway? I couldn't
> figure that out from the mailing list thread.)

The problem was that the released version of libseccomp has some "holes" in 
the internal syscall table for 32-bit ARM with respect to all of the other 
supported architectures.  The current libseccomp upstream has some additional 
tooling and checks to ensure that the different ABI syscall tables are kept in 
sync to prevent something like this from happening in the future.

I'm more than happy to discuss how libseccomp handles the different 
architectures, but that's probably a bit off-topic for this thread.

-- 
paul moore
security and virtualization @ redhat

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Peter Maydell]

On 5 November 2014 19:46, Paul Moore <pmoore@redhat.com> wrote:
> On Wednesday, November 05, 2014 05:08:20 PM Peter Maydell wrote:
>> On 5 November 2014 16:47, Eduardo Otubo wrote:
>> > Right now seccomp is breaking the compilation of Qemu on armv7l due
>> > to libsecomp current lack of support for this arch. This problem is
>> > already fixed on libseccomp upstream but no release date for that is
>> > scheduled to far. This patch disables support for seccomp on armv7l
>> > temporarily until libseccomp does a new release. Then I'll remove the
>> > hack and update libseccomp dependency on configure script.
>> >
>> > Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
>
> ...
>
>> (How are upstream proposing to fix this anyway? I couldn't
>> figure that out from the mailing list thread.)
>
> The problem was that the released version of libseccomp has some "holes" in
> the internal syscall table for 32-bit ARM with respect to all of the other
> supported architectures.  The current libseccomp upstream has some additional
> tooling and checks to ensure that the different ABI syscall tables are kept in
> sync to prevent something like this from happening in the future.

OK. So should we make QEMU say "if x86_64 or i386, require
seccomp 2.1 or better, else require 2.2 or better" ? If our
current source will build with seccomp 2.2 then that seems like a better
check to put in our configure script than a simple disabling of
the functionality on ARM hosts; it means that if distros end up
with QEMU 2.2 plus seccomp 2.2 the functionality won't be
unnecessarily disabled. (Please correct me if I have your
next-release numbering wrong!)

> I'm more than happy to discuss how libseccomp handles the different
> architectures, but that's probably a bit off-topic for this thread.

I guess the only thing that matters for us is that there wasn't
an API break required for the fix.

thanks
-- PMM

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Paul Moore]

On Wednesday, November 05, 2014 08:08:06 PM Peter Maydell wrote:
> On 5 November 2014 19:46, Paul Moore <pmoore@redhat.com> wrote:
> > On Wednesday, November 05, 2014 05:08:20 PM Peter Maydell wrote:
> >> On 5 November 2014 16:47, Eduardo Otubo wrote:
> >> > Right now seccomp is breaking the compilation of Qemu on armv7l due
> >> > to libsecomp current lack of support for this arch. This problem is
> >> > already fixed on libseccomp upstream but no release date for that is
> >> > scheduled to far. This patch disables support for seccomp on armv7l
> >> > temporarily until libseccomp does a new release. Then I'll remove the
> >> > hack and update libseccomp dependency on configure script.
> >> > 
> >> > Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
> > 
> > ...
> > 
> >> (How are upstream proposing to fix this anyway? I couldn't
> >> figure that out from the mailing list thread.)
> > 
> > The problem was that the released version of libseccomp has some "holes"
> > in
> > the internal syscall table for 32-bit ARM with respect to all of the other
> > supported architectures.  The current libseccomp upstream has some
> > additional tooling and checks to ensure that the different ABI syscall
> > tables are kept in sync to prevent something like this from happening in
> > the future.
> 
> OK. So should we make QEMU say "if x86_64 or i386, require
> seccomp 2.1 or better, else require 2.2 or better"?

I would probably just limit QEMU/seccomp to x86_64 and x86.  Once we have the 
new release that fixes everything we can start worrying about versions and 
different ABIs.

> If our current source will build with seccomp 2.2 then that seems like a
> better check to put in our configure script than a simple disabling of
> the functionality on ARM hosts; it means that if distros end up
> with QEMU 2.2 plus seccomp 2.2 the functionality won't be
> unnecessarily disabled. (Please correct me if I have your
> next-release numbering wrong!)

Well, technically we don't have libseccomp v2.2 yet so I can't say for certain 
what it will look like and how it will behave.

> > I'm more than happy to discuss how libseccomp handles the different
> > architectures, but that's probably a bit off-topic for this thread.
> 
> I guess the only thing that matters for us is that there wasn't
> an API break required for the fix.

Nope, the API is solid, just some internal fixes.

-- 
paul moore
security and virtualization @ redhat

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Eduardo Otubo]

On Wed, Nov 05, 2014 at 03:35:09PM -0500, Paul Moore wrote:
> On Wednesday, November 05, 2014 08:08:06 PM Peter Maydell wrote:
> > On 5 November 2014 19:46, Paul Moore <pmoore@redhat.com> wrote:
> > > On Wednesday, November 05, 2014 05:08:20 PM Peter Maydell wrote:
> > >> On 5 November 2014 16:47, Eduardo Otubo wrote:
> > >> > Right now seccomp is breaking the compilation of Qemu on armv7l due
> > >> > to libsecomp current lack of support for this arch. This problem is
> > >> > already fixed on libseccomp upstream but no release date for that is
> > >> > scheduled to far. This patch disables support for seccomp on armv7l
> > >> > temporarily until libseccomp does a new release. Then I'll remove the
> > >> > hack and update libseccomp dependency on configure script.
> > >> > 
> > >> > Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
> > > 
> > > ...
> > > 
> > >> (How are upstream proposing to fix this anyway? I couldn't
> > >> figure that out from the mailing list thread.)
> > > 
> > > The problem was that the released version of libseccomp has some "holes"
> > > in
> > > the internal syscall table for 32-bit ARM with respect to all of the other
> > > supported architectures.  The current libseccomp upstream has some
> > > additional tooling and checks to ensure that the different ABI syscall
> > > tables are kept in sync to prevent something like this from happening in
> > > the future.
> > 
> > OK. So should we make QEMU say "if x86_64 or i386, require
> > seccomp 2.1 or better, else require 2.2 or better"?

I don't think it's worth to point to a non existing version right now,
it might confuse people.

> 
> I would probably just limit QEMU/seccomp to x86_64 and x86.  Once we have the 
> new release that fixes everything we can start worrying about versions and 
> different ABIs.

That's fine for me, since is a temporary fix. I'll just go and rewrite
this patch, then.

Paul, do you have any plans for a new libseccomp release?

Regards,

-- 
Eduardo Otubo
ProfitBricks GmbH

[Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Eduardo Otubo]

Right now seccomp is breaking the compilation of Qemu on armv7l due
to libsecomp current lack of support for this arch. This problem is
already fixed on libseccomp upstream but no release date for that is
scheduled to far. This patch disables support for seccomp on armv7l
temporarily until libseccomp does a new release. Then I'll remove the
hack and update libseccomp dependency on configure script.

Related bug: https://bugs.launchpad.net/qemu/+bug/1363641

Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
---
 configure | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/configure b/configure
index 2f17bf3..16fd7f5 100755
--- a/configure
+++ b/configure
@@ -1823,15 +1823,17 @@ fi
 # libseccomp check
 
 if test "$seccomp" != "no" ; then
-    if $pkg_config --atleast-version=2.1.0 libseccomp; then
-        libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
-        QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
-	seccomp="yes"
-    else
-	if test "$seccomp" = "yes"; then
-            feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.0"
-	fi
-	seccomp="no"
+    if test "$cpu" = "i386" || test "$cpu" = "x86_64"; then
+        if $pkg_config --atleast-version=2.1.0 libseccomp; then
+            libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
+            QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
+            seccomp="yes"
+        else
+            if test "$seccomp" = "yes"; then
+                feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.0"
+            fi
+            seccomp="no"
+        fi
     fi
 fi
 ##########################################
-- 
1.9.1

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Peter Maydell]

On 6 November 2014 14:49, Eduardo Otubo <eduardo.otubo@profitbricks.com> wrote:
> Right now seccomp is breaking the compilation of Qemu on armv7l due
> to libsecomp current lack of support for this arch. This problem is
> already fixed on libseccomp upstream but no release date for that is
> scheduled to far. This patch disables support for seccomp on armv7l
> temporarily until libseccomp does a new release. Then I'll remove the
> hack and update libseccomp dependency on configure script.
>
> Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
>
> Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> ---
>  configure | 20 +++++++++++---------
>  1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/configure b/configure
> index 2f17bf3..16fd7f5 100755
> --- a/configure
> +++ b/configure
> @@ -1823,15 +1823,17 @@ fi
>  # libseccomp check
>
>  if test "$seccomp" != "no" ; then
> -    if $pkg_config --atleast-version=2.1.0 libseccomp; then
> -        libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> -        QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> -       seccomp="yes"
> -    else
> -       if test "$seccomp" = "yes"; then
> -            feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.0"
> -       fi
> -       seccomp="no"
> +    if test "$cpu" = "i386" || test "$cpu" = "x86_64"; then
> +        if $pkg_config --atleast-version=2.1.0 libseccomp; then
> +            libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> +            QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> +            seccomp="yes"
> +        else
> +            if test "$seccomp" = "yes"; then
> +                feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.0"
> +            fi
> +            seccomp="no"
> +        fi
>      fi

This is missing the logic for turning "" into "no" or printing the
feature_not_found message if the probe failed because of the CPU
being wrong. The easiest fix for that is just to roll the whole check
into one if:
    if { test "$cpu" = "i386" || test "$cpu" = "x86_64"; } &&
        $pkg_config --atleast-version=2.1.0 libseccomp; then

(the { ... ; } are not strictly necessary since the shell's
precedence rules mean we'll evaluate the || before the && but
I think they make the intent clearer.)

thanks
-- PMM

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Eduardo Otubo]

On Thu, Nov 06, 2014 at 03:49:04PM +0000, Peter Maydell wrote:
> On 6 November 2014 14:49, Eduardo Otubo <eduardo.otubo@profitbricks.com> wrote:
> > Right now seccomp is breaking the compilation of Qemu on armv7l due
> > to libsecomp current lack of support for this arch. This problem is
> > already fixed on libseccomp upstream but no release date for that is
> > scheduled to far. This patch disables support for seccomp on armv7l
> > temporarily until libseccomp does a new release. Then I'll remove the
> > hack and update libseccomp dependency on configure script.
> >
> > Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
> >
> > Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> > ---
> >  configure | 20 +++++++++++---------
> >  1 file changed, 11 insertions(+), 9 deletions(-)
> >
> > diff --git a/configure b/configure
> > index 2f17bf3..16fd7f5 100755
> > --- a/configure
> > +++ b/configure
> > @@ -1823,15 +1823,17 @@ fi
> >  # libseccomp check
> >
> >  if test "$seccomp" != "no" ; then
> > -    if $pkg_config --atleast-version=2.1.0 libseccomp; then
> > -        libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> > -        QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> > -       seccomp="yes"
> > -    else
> > -       if test "$seccomp" = "yes"; then
> > -            feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.0"
> > -       fi
> > -       seccomp="no"
> > +    if test "$cpu" = "i386" || test "$cpu" = "x86_64"; then
> > +        if $pkg_config --atleast-version=2.1.0 libseccomp; then
> > +            libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> > +            QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> > +            seccomp="yes"
> > +        else
> > +            if test "$seccomp" = "yes"; then
> > +                feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.0"
> > +            fi
> > +            seccomp="no"
> > +        fi
> >      fi
> 
> This is missing the logic for turning "" into "no" or printing the
> feature_not_found message if the probe failed because of the CPU
> being wrong. The easiest fix for that is just to roll the whole check
> into one if:
>     if { test "$cpu" = "i386" || test "$cpu" = "x86_64"; } &&
>         $pkg_config --atleast-version=2.1.0 libseccomp; then
> 

Yep, I think that does make a lot of sense looking from the perspective
of feature_not_found. I'll just roll out a v3 if you don't mind (I guess
this was supposed to be the v2)

Thanks for the review,

-- 
Eduardo Otubo
ProfitBricks GmbH

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Paul Moore]

On Thursday, November 06, 2014 03:49:18 PM Eduardo Otubo wrote:
> Right now seccomp is breaking the compilation of Qemu on armv7l due
> to libsecomp current lack of support for this arch. This problem is
> already fixed on libseccomp upstream but no release date for that is
> scheduled to far. This patch disables support for seccomp on armv7l
> temporarily until libseccomp does a new release. Then I'll remove the
> hack and update libseccomp dependency on configure script.
> 
> Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
> 
> Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> ---
>  configure | 20 +++++++++++---------
>  1 file changed, 11 insertions(+), 9 deletions(-)
> 
> diff --git a/configure b/configure
> index 2f17bf3..16fd7f5 100755
> --- a/configure
> +++ b/configure
> @@ -1823,15 +1823,17 @@ fi
>  # libseccomp check
> 
>  if test "$seccomp" != "no" ; then
> -    if $pkg_config --atleast-version=2.1.0 libseccomp; then
> -        libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> -        QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> -	seccomp="yes"
> -    else
> -	if test "$seccomp" = "yes"; then
> -            feature_not_found "libseccomp" "Install libseccomp devel >=
> 2.1.0" -	fi
> -	seccomp="no"
> +    if test "$cpu" = "i386" || test "$cpu" = "x86_64"; then
> +        if $pkg_config --atleast-version=2.1.0 libseccomp; then
> +            libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> +            QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> +            seccomp="yes"
> +        else
> +            if test "$seccomp" = "yes"; then
> +                feature_not_found "libseccomp" "Install libseccomp devel >=
> 2.1.0" +            fi
> +            seccomp="no"
> +        fi
>      fi
>  fi
>  ##########################################

Also, note the current release of libseccomp is v2.1.1 which has a number of 
bug fixes on top of v2.1.0.

-- 
paul moore
security and virtualization @ redhat

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Eduardo Otubo]

On Thu, Nov 06, 2014 at 11:22:16AM -0500, Paul Moore wrote:
> On Thursday, November 06, 2014 03:49:18 PM Eduardo Otubo wrote:
> > Right now seccomp is breaking the compilation of Qemu on armv7l due
> > to libsecomp current lack of support for this arch. This problem is
> > already fixed on libseccomp upstream but no release date for that is
> > scheduled to far. This patch disables support for seccomp on armv7l
> > temporarily until libseccomp does a new release. Then I'll remove the
> > hack and update libseccomp dependency on configure script.
> > 
> > Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
> > 
> > Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> > ---
> >  configure | 20 +++++++++++---------
> >  1 file changed, 11 insertions(+), 9 deletions(-)
> > 
> > diff --git a/configure b/configure
> > index 2f17bf3..16fd7f5 100755
> > --- a/configure
> > +++ b/configure
> > @@ -1823,15 +1823,17 @@ fi
> >  # libseccomp check
> > 
> >  if test "$seccomp" != "no" ; then
> > -    if $pkg_config --atleast-version=2.1.0 libseccomp; then
> > -        libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> > -        QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> > -	seccomp="yes"
> > -    else
> > -	if test "$seccomp" = "yes"; then
> > -            feature_not_found "libseccomp" "Install libseccomp devel >=
> > 2.1.0" -	fi
> > -	seccomp="no"
> > +    if test "$cpu" = "i386" || test "$cpu" = "x86_64"; then
> > +        if $pkg_config --atleast-version=2.1.0 libseccomp; then
> > +            libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> > +            QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> > +            seccomp="yes"
> > +        else
> > +            if test "$seccomp" = "yes"; then
> > +                feature_not_found "libseccomp" "Install libseccomp devel >=
> > 2.1.0" +            fi
> > +            seccomp="no"
> > +        fi
> >      fi
> >  fi
> >  ##########################################
> 
> Also, note the current release of libseccomp is v2.1.1 which has a number of 
> bug fixes on top of v2.1.0.
> 

Does that applies to the distros package version? I'm running Ubuntu
14.04 and it's still 2.1.0. A regular user would have to download and
install from scratch in order to build Qemu, then.

-- 
Eduardo Otubo
ProfitBricks GmbH

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Paul Moore]

On Thursday, November 06, 2014 10:24:41 AM Eduardo Otubo wrote:
> Paul, do you have any plans for a new libseccomp release?

Yes, I have plans.  Do I have a date, no. ;)

I was trying to sync up with support for a new ABI, but I believe that was 
pushed to v3.19.  I'll need to check on things, but it may be worth doing a 
new release in the meantime.

-- 
paul moore
security and virtualization @ redhat

Re: [Qemu-devel] [PATCH] seccomp: change configure to avoid arm 32 to break

[Paul Moore]

On Thursday, November 06, 2014 05:36:04 PM Eduardo Otubo wrote:
> On Thu, Nov 06, 2014 at 11:22:16AM -0500, Paul Moore wrote:
> > On Thursday, November 06, 2014 03:49:18 PM Eduardo Otubo wrote:
> > > Right now seccomp is breaking the compilation of Qemu on armv7l due
> > > to libsecomp current lack of support for this arch. This problem is
> > > already fixed on libseccomp upstream but no release date for that is
> > > scheduled to far. This patch disables support for seccomp on armv7l
> > > temporarily until libseccomp does a new release. Then I'll remove the
> > > hack and update libseccomp dependency on configure script.
> > > 
> > > Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
> > > 
> > > Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
> > > ---
> > > 
> > >  configure | 20 +++++++++++---------
> > >  1 file changed, 11 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/configure b/configure
> > > index 2f17bf3..16fd7f5 100755
> > > --- a/configure
> > > +++ b/configure
> > > @@ -1823,15 +1823,17 @@ fi
> > > 
> > >  # libseccomp check
> > >  
> > >  if test "$seccomp" != "no" ; then
> > > 
> > > -    if $pkg_config --atleast-version=2.1.0 libseccomp; then
> > > -        libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
> > > -        QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
> > > -	seccomp="yes"
> > > -    else
> > > -	if test "$seccomp" = "yes"; then
> > > -            feature_not_found "libseccomp" "Install libseccomp devel >=
> > > 2.1.0" -	fi
> > > -	seccomp="no"
> > > +    if test "$cpu" = "i386" || test "$cpu" = "x86_64"; then
> > > +        if $pkg_config --atleast-version=2.1.0 libseccomp; then
> > > +            libs_softmmu="$libs_softmmu `$pkg_config --libs
> > > libseccomp`"
> > > +            QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags
> > > libseccomp`"
> > > +            seccomp="yes"
> > > +        else
> > > +            if test "$seccomp" = "yes"; then
> > > +                feature_not_found "libseccomp" "Install libseccomp
> > > devel >= 2.1.0" +            fi
> > > +            seccomp="no"
> > > +        fi
> > > 
> > >      fi
> > >  
> > >  fi
> > >  ##########################################
> > 
> > Also, note the current release of libseccomp is v2.1.1 which has a number
> > of bug fixes on top of v2.1.0.
> 
> Does that applies to the distros package version?

Well, I can't speak for all distros, but I always recommend the latest bug-fix 
version for obvious reasons.  While I do control the libseccomp package for 
some distributions, I don't control them all.  I've got enough to worry about, 
I'll let others worry about packaging :)

> I'm running Ubuntu 14.04 and it's still 2.1.0. A regular user would have to
> download and install from scratch in order to build Qemu, then.

I would recommend filing a request for Debian/Ubuntu to package the latest 
libseccomp; v2.1.1 is over a year old at this point.

-- 
paul moore
security and virtualization @ redhat