From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:56279)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1TPJJJ-0002YK-PP
	for qemu-devel@nongnu.org; Fri, 19 Oct 2012 16:36:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1TPJJI-0003WG-Gt
	for qemu-devel@nongnu.org; Fri, 19 Oct 2012 16:36:49 -0400
Received: from mx1.redhat.com ([209.132.183.28]:35227)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1TPJJI-0003W1-7B
	for qemu-devel@nongnu.org; Fri, 19 Oct 2012 16:36:48 -0400
Message-ID: <5081B9BC.8060503@redhat.com>
Date: Fri, 19 Oct 2012 14:36:12 -0600
From: Eric Blake <eblake@redhat.com>
MIME-Version: 1.0
References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com>
	<1350479712-15082-3-git-send-email-otubo@linux.vnet.ibm.com>
	<CAAu8pHucVmfiqCbcz+iSiYoZNmoSPhowzacX2FdySuSf2=BYxg@mail.gmail.com>
	<5081B330.3060106@linux.vnet.ibm.com>
In-Reply-To: <5081B330.3060106@linux.vnet.ibm.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig3512413B6EA89C9BDA53F4D7"
Subject: Re: [Qemu-devel] [PATCH 3/4] Support for "double whitelist" filters
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Corey Bryant <coreyb@linux.vnet.ibm.com>
Cc: Blue Swirl <blauwirbel@gmail.com>, pmoore@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3512413B6EA89C9BDA53F4D7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 10/19/2012 02:08 PM, Corey Bryant wrote:
>=20
>=20
> On 10/19/2012 01:04 PM, Blue Swirl wrote:
>> On Wed, Oct 17, 2012 at 1:15 PM, Eduardo Otubo
>> <otubo@linux.vnet.ibm.com> wrote:
>>> This patch includes a second whitelist right before the main loop. It=
's
>>> a smaller and more restricted whitelist, excluding execve() among man=
y
>>> others.
>>>

>> It's nice to see that for example open, creat, unlink, socket, bind,
>> mprotect, setrlimit and kill are not present.
>>
>=20
> Hmm, well open minimally needs to be added to this list so that drives
> can be hotplugged.

Unless we enforce the use of add-fd for hot-plugging drives, but that in
turn requires that we have -blockdev semantics for telling qemu how to
open backing chains.

--=20
Eric Blake   eblake@redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--------------enig3512413B6EA89C9BDA53F4D7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBCAAGBQJQgbm8AAoJEKeha0olJ0Nq+DcH/isO2qlJTxQVC8PQk4Og0slu
6GOamG7u9aWfYErKPB1A3UNZmcMiAfspvSQBZ6zJcl71djqE5u4Ma+BGaNndAj8Z
OdlQYOl7PCU/4GxYLSInkiOuvK6Q6EgK+a7ouVcANvHRle+JivwKDxncso1C4GDR
EAuze3th1sraIKLNXewZyem8RvgCF3JsdryerHjJK+g47f8gLDLW/HlcVXA/AkZJ
9Gh/5jxpk6EbLfpQ3JtGunglP7rxTulmqDyezW8286ZjjYgr6VBF67Q44NH/rlmU
7NrYLCyPElgUkKp3YYJSDnPfDE05qa7pek7RfxcFI4ccC+yL3L0mVTJ0OddKNuk=
=0Ivc
-----END PGP SIGNATURE-----

--------------enig3512413B6EA89C9BDA53F4D7--