From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44764)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1VFPaI-0001GL-UA
	for qemu-devel@nongnu.org; Fri, 30 Aug 2013 10:22:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1VFPa9-00075m-0P
	for qemu-devel@nongnu.org; Fri, 30 Aug 2013 10:21:58 -0400
Received: from e24smtp05.br.ibm.com ([32.104.18.26]:46599)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1VFPa8-00074y-Ll
	for qemu-devel@nongnu.org; Fri, 30 Aug 2013 10:21:48 -0400
Received: from /spool/local
	by e24smtp05.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <otubo@linux.vnet.ibm.com>;
	Fri, 30 Aug 2013 11:21:46 -0300
Received: from d24relay01.br.ibm.com (d24relay01.br.ibm.com [9.8.31.16])
	by d24dlp02.br.ibm.com (Postfix) with ESMTP id 942941DC0060
	for <qemu-devel@nongnu.org>; Fri, 30 Aug 2013 10:21:42 -0400 (EDT)
Received: from d24av05.br.ibm.com (d24av05.br.ibm.com [9.18.232.44])
	by d24relay01.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	r7UEGxhr2748604
	for <qemu-devel@nongnu.org>; Fri, 30 Aug 2013 11:16:59 -0300
Received: from d24av05.br.ibm.com (d24av05 [127.0.0.1])
	by d24av05.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id
	r7UELfHT017780
	for <qemu-devel@nongnu.org>; Fri, 30 Aug 2013 10:21:42 -0400
Message-ID: <5220AA75.7080402@linux.vnet.ibm.com>
Date: Fri, 30 Aug 2013 11:21:41 -0300
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1377738272-3470-1-git-send-email-otubo@linux.vnet.ibm.com>
	<20130829083411.GD23096@stefanha-thinkpad.redhat.com>
In-Reply-To: <20130829083411.GD23096@stefanha-thinkpad.redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: pmoore@redhat.com, coreyb@linux.vnet.ibm.com, wad@chromium.org, qemu-devel@nongnu.org



On 08/29/2013 05:34 AM, Stefan Hajnoczi wrote:
> On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
>> Now there's a second whitelist, right before the vcpu starts. The second
>> whitelist is the same as the first one, except for exec() and select().
>
> -netdev tap,downscript=/path/to/script requires exec() in the QEMU
> shutdown code path.  Will this work with seccomp?

I actually don't know, but I'll test that as well. Can you run a test 
with this patch and -netdev? I mean, if you're pointing that out you 
might have a scenario already setup, right?

Thanks!

>
> Stefan
>

-- 
Eduardo Otubo
IBM Linux Technology Center