From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36684) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VTuww-0003Mc-5n for qemu-devel@nongnu.org; Wed, 09 Oct 2013 10:41:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VTuwm-0001lt-Ew for qemu-devel@nongnu.org; Wed, 09 Oct 2013 10:41:18 -0400 Received: from e24smtp04.br.ibm.com ([32.104.18.25]:42903) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VTuwm-0001i0-0m for qemu-devel@nongnu.org; Wed, 09 Oct 2013 10:41:08 -0400 Received: from /spool/local by e24smtp04.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 9 Oct 2013 11:41:02 -0300 Received: from d24relay03.br.ibm.com (d24relay03.br.ibm.com [9.13.184.25]) by d24dlp02.br.ibm.com (Postfix) with ESMTP id 6FB421DC005D for ; Wed, 9 Oct 2013 10:40:58 -0400 (EDT) Received: from d24av04.br.ibm.com (d24av04.br.ibm.com [9.8.31.97]) by d24relay03.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r99EdI8b29818948 for ; Wed, 9 Oct 2013 11:39:19 -0300 Received: from d24av04.br.ibm.com (localhost [127.0.0.1]) by d24av04.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id r99EeurB014758 for ; Wed, 9 Oct 2013 11:40:57 -0300 Message-ID: <52556AF8.2090502@linux.vnet.ibm.com> Date: Wed, 09 Oct 2013 11:40:56 -0300 From: Eduardo Otubo MIME-Version: 1.0 References: <1381279346-23676-1-git-send-email-otubo@linux.vnet.ibm.com> <1381279346-23676-3-git-send-email-otubo@linux.vnet.ibm.com> In-Reply-To: <1381279346-23676-3-git-send-email-otubo@linux.vnet.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCHv3 2/3] seccomp: adding command line support for blacklist List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Eduardo Otubo Cc: pmoore@redhat.com, coreyb@linux.vnet.ibm.com, qemu-devel@nongnu.org, anthony@codemonkey.ws On 10/08/2013 09:42 PM, Eduardo Otubo wrote: > v3: The options for blacklist in the command line also checkes the > existence of "-netdev tap", leaving a warning message in a positive > case. > > New command line options for the seccomp blacklist feature: > > $ qemu -sandbox on[,strict=] > > The strict parameter will turn on or off the new system call blacklist > > Signed-off-by: Eduardo Otubo > --- > qemu-options.hx | 8 +++++--- > vl.c | 17 ++++++++++++++++- > 2 files changed, 21 insertions(+), 4 deletions(-) > > diff --git a/qemu-options.hx b/qemu-options.hx > index d15338e..05485e1 100644 > --- a/qemu-options.hx > +++ b/qemu-options.hx > @@ -2978,13 +2978,15 @@ Old param mode (ARM only). > ETEXI > > DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \ > - "-sandbox Enable seccomp mode 2 system call filter (default 'off').\n", > + "-sandbox Enable seccomp mode 2 system call filter (default 'off').\n" > + "-sandbox on[,strict=]\n" > + " Enable seccomp mode 2 system call second level filter (default 'off').\n", > QEMU_ARCH_ALL) > STEXI > -@item -sandbox @var{arg} > +@item -sandbox @var{arg}[,strict=@var{value}] > @findex -sandbox > Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will > -disable it. The default is 'off'. > +disable it. The default is 'off'. 'strict=on' will enable second level filter (default is 'off'). > ETEXI > > DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig, > diff --git a/vl.c b/vl.c > index ee95674..ffdf460 100644 > --- a/vl.c > +++ b/vl.c > @@ -330,6 +330,9 @@ static QemuOptsList qemu_sandbox_opts = { > { > .name = "enable", > .type = QEMU_OPT_BOOL, > + },{ > + .name = "strict", > + .type = QEMU_OPT_STRING, > }, > { /* end of list */ } > }, > @@ -1032,6 +1035,7 @@ static int bt_parse(const char *opt) > > static int parse_sandbox(QemuOpts *opts, void *opaque) > { > + const char *strict_value = NULL; > /* FIXME: change this to true for 1.3 */ > if (qemu_opt_get_bool(opts, "enable", false)) { > #ifdef CONFIG_SECCOMP > @@ -1040,6 +1044,17 @@ static int parse_sandbox(QemuOpts *opts, void *opaque) > "failed to install seccomp syscall filter in the kernel"); > return -1; > } > + > + strict_value = qemu_opt_get(opts, "strict"); > + > + if (!tap_enabled) .------^ Just spotted tha I erased this open brace in one of my rebases. > + if (strict_value && !strcmp(strict_value, "on")) { > + enable_blacklist = true; > + } > + } else { > + fprintf(stderr, "Warning: seccomp syscall second level filter \"-sandbox on,strict=on\" " > + "cannot work together with \"-netdev tap\". Disabling it.\n"); > + } > #else > qerror_report(ERROR_CLASS_GENERIC_ERROR, > "sandboxing request but seccomp is not compiled into this build"); > @@ -1769,7 +1784,7 @@ void vm_state_notify(int running, RunState state) > > static void install_seccomp_blacklist(void) > { > - if (enable_blacklist && !tap_enabled) { > + if (enable_blacklist) { > if (seccomp_start(BLACKLIST) < 0) { > qerror_report(ERROR_CLASS_GENERIC_ERROR, > "failed to install seccomp syscall second level filter in the kernel"); > -- Eduardo Otubo IBM Linux Technology Center