[Qemu-devel] [PULL 00/02] seccomp branch queue

[Qemu-devel] [PULL 00/02] seccomp branch queue

[Eduardo Otubo]

The following changes since commit b574f602680d41c4cf4a9c106e3e2244bed01cdd:

  Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20141216-1' into staging (2014-12-17 19:22:42 +0000)

are available in the git repository at:


  https://github.com/otubo/qemu.git tags/pull-seccomp-20141219

for you to fetch changes up to 670c7aced3d4e5aabc257ec51182806e4090a848:

  seccomp: add mbind() to the syscall whitelist (2014-12-19 17:16:55 +0100)

----------------------------------------------------------------
seccomp: typo in configure error message
seccomp: add mbind() to the syscall whitelist
----------------------------------------------------------------
Eduardo Otubo (1):
      seccomp: typo in configure error message

Paul Moore (1):
      seccomp: add mbind() to the syscall whitelist

 configure      | 2 +-
 qemu-seccomp.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

-- 
1.9.1

Re: [Qemu-devel] [PULL 00/02] seccomp branch queue

[Peter Maydell]

On 19 December 2014 at 16:56, Eduardo Otubo
<eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit b574f602680d41c4cf4a9c106e3e2244bed01cdd:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20141216-1' into staging (2014-12-17 19:22:42 +0000)
>
> are available in the git repository at:
>
>
>   https://github.com/otubo/qemu.git tags/pull-seccomp-20141219
>
> for you to fetch changes up to 670c7aced3d4e5aabc257ec51182806e4090a848:
>
>   seccomp: add mbind() to the syscall whitelist (2014-12-19 17:16:55 +0100)
>
> ----------------------------------------------------------------
> seccomp: typo in configure error message
> seccomp: add mbind() to the syscall whitelist
> ----------------------------------------------------------------
> Eduardo Otubo (1):
>       seccomp: typo in configure error message
>
> Paul Moore (1):
>       seccomp: add mbind() to the syscall whitelist

Reminder: when you send a pullreq then all of the patches
in it need to have your signed-off-by as well as that of
the original author. This patch from Paul is missing your Sob.
Could you respin to add it, please?

thanks
-- PMM

[Qemu-devel] [PULL 00/02] seccomp branch queue

[Eduardo Otubo]

The following changes since commit b574f602680d41c4cf4a9c106e3e2244bed01cdd:

  Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20141216-1' into staging (2014-12-17 19:22:42 +0000)

are available in the git repository at:


  https://github.com/otubo/qemu.git tags/pull-seccomp-20150105

for you to fetch changes up to ea259acae5b2d88ee6e92caf1cf44eb501eaef47:

  seccomp: add mbind() to the syscall whitelist (2015-01-05 18:13:38 +0100)

----------------------------------------------------------------
seccomp: typo in configure error message
seccomp: add mbind() to the syscall whitelist
----------------------------------------------------------------
Eduardo Otubo (1):
      seccomp: typo in configure error message

Paul Moore (1):
      seccomp: add mbind() to the syscall whitelist

 configure      | 2 +-
 qemu-seccomp.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

-- 
1.9.1

[Qemu-devel] [PULL 01/02] seccomp: typo in configure error message

[Eduardo Otubo]

Error message was misleading people to install wrong version of
libseccomp.

Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index cae588c..7539645 100755
--- a/configure
+++ b/configure
@@ -1830,7 +1830,7 @@ if test "$seccomp" != "no" ; then
 	seccomp="yes"
     else
 	if test "$seccomp" = "yes"; then
-            feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.0"
+            feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.1"
 	fi
 	seccomp="no"
     fi
-- 
1.9.1

[Qemu-devel] [PULL 02/02] seccomp: add mbind() to the syscall whitelist

[Eduardo Otubo]

From: Paul Moore <pmoore@redhat.com>

The "memory-backend-ram" QOM object utilizes the mbind(2) syscall to
set the policy for a memory range.  Add the syscall to the seccomp
sandbox whitelist.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
Acked-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
Tested-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
---
 qemu-seccomp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index af6a375..b0c6269 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -235,7 +235,8 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
     { SCMP_SYS(fallocate), 240 },
     { SCMP_SYS(fadvise64), 240 },
     { SCMP_SYS(inotify_init1), 240 },
-    { SCMP_SYS(inotify_add_watch), 240 }
+    { SCMP_SYS(inotify_add_watch), 240 },
+    { SCMP_SYS(mbind), 240 }
 };
 
 int seccomp_start(void)
-- 
1.9.1

Re: [Qemu-devel] [PULL 00/02] seccomp branch queue

[Peter Maydell]

On 5 January 2015 at 17:23, Eduardo Otubo
<eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit b574f602680d41c4cf4a9c106e3e2244bed01cdd:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20141216-1' into staging (2014-12-17 19:22:42 +0000)
>
> are available in the git repository at:
>
>
>   https://github.com/otubo/qemu.git tags/pull-seccomp-20150105
>
> for you to fetch changes up to ea259acae5b2d88ee6e92caf1cf44eb501eaef47:
>
>   seccomp: add mbind() to the syscall whitelist (2015-01-05 18:13:38 +0100)
>
> ----------------------------------------------------------------
> seccomp: typo in configure error message
> seccomp: add mbind() to the syscall whitelist
> ----------------------------------------------------------------
> Eduardo Otubo (1):
>       seccomp: typo in configure error message
>
> Paul Moore (1):
>       seccomp: add mbind() to the syscall whitelist

Applied, thanks.

-- PMM