From: Eduardo Otubo <otubo@redhat.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Yi Min Zhao <zyimin@linux.ibm.com>,
qemu-devel@nongnu.org, jtomko@redhat.com, jferlan@redhat.com,
berrange@redhat.com, fiuczy@linux.ibm.com,
libvir-list@redhat.com
Subject: Re: [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest
Date: Mon, 7 May 2018 12:33:20 +0200 [thread overview]
Message-ID: <20180507103320.GE17261@vader> (raw)
In-Reply-To: <df015c61-0dde-da33-86eb-31abbd6ec805@de.ibm.com>
On 07/05/2018 - 11:29:57, Christian Borntraeger wrote:
> On 05/07/2018 05:32 AM, Yi Min Zhao wrote:
> > 1. Problem Description
> > ======================
> > If QEMU is built without seccomp support, 'elevatorprivileges' remains compiled.
> > This option of sandbox is treated as an indication for seccomp blacklist support
> > in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and
> > 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest
> > startup would fail.
>
> Adding libvirt list.
>
> This would still fail with older QEMUs, so the question is if we should also OR instead
> change something in libvirt.
Perhaps I'm missing something here, but libvirt can differentiate between
different versions of QEMU, therefore not calling it with wrong or outdated
arguments.
>
> >
> > 2. Libvirt Log
> > ==============
> > qemu-system-s390x: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> > resourcecontrol=deny: seccomp support is disabled
> >
> > 3. Fixup
> > ========
> > Wrap the options except 'enable' for qemu_sandbox_opts by CONFIG_SECCOMP.
> >
> > Yi Min Zhao (1):
> > sandbox: avoid to compile options if CONFIG_SECCOMP undefined
> >
> > vl.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
>
--
Eduardo Otubo
next prev parent reply other threads:[~2018-05-07 10:33 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-07 3:32 [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest Yi Min Zhao
2018-05-07 3:32 ` [Qemu-devel] [PATCH 1/1] sandbox: avoid to compile options if CONFIG_SECCOMP undefined Yi Min Zhao
2018-05-07 10:31 ` Eduardo Otubo
2018-05-07 13:27 ` Yi Min Zhao
2018-05-07 18:04 ` Eric Blake
2018-05-07 22:18 ` Yi Min Zhao
2018-05-08 10:37 ` Daniel P. Berrangé
2018-05-09 4:40 ` Yi Min Zhao
2018-05-09 12:48 ` Eric Blake
2018-05-09 14:23 ` Ján Tomko
2018-05-07 9:29 ` [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest Christian Borntraeger
2018-05-07 10:33 ` Eduardo Otubo [this message]
2018-05-07 12:02 ` [Qemu-devel] [libvirt] " Ján Tomko
2018-05-07 12:12 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180507103320.GE17261@vader \
--to=otubo@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=fiuczy@linux.ibm.com \
--cc=jferlan@redhat.com \
--cc=jtomko@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=zyimin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).