[Qemu-devel] [PULL 00/03] seccomp branch queue

[Qemu-devel] [PULL 00/03] seccomp branch queue

[Eduardo Otubo]

The following changes since commit 8337c6cbc37c6b2184f41bab3eaff47d5e68012a:

  Update version for v2.5.0-rc0 release (2015-11-13 17:10:36 +0000)

are available in the git repository at:

  git://github.com/otubo/qemu.git tags/pull-seccomp-20151116

for you to fetch changes up to ba060c53d585d186ff0ac6b181f4b2a867acc210:

  seccomp: loosen library version dependency (2015-11-16 09:49:47 +0100)

----------------------------------------------------------------
seccomp branch queue

----------------------------------------------------------------
Andrew Jones (2):
      seccomp: add cacheflush to whitelist
      configure: arm/aarch64: allow enable-seccomp

dann frazier (1):
      seccomp: loosen library version dependency

 configure      | 32 +++++++++++++++++++++++++-------
 qemu-seccomp.c | 13 ++++++++++++-
 2 files changed, 37 insertions(+), 8 deletions(-)

-- 
2.1.4

Re: [Qemu-devel] [PULL 00/03] seccomp branch queue

[Peter Maydell]

On 16 November 2015 at 09:09, Eduardo Otubo
<eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit 8337c6cbc37c6b2184f41bab3eaff47d5e68012a:
>
>   Update version for v2.5.0-rc0 release (2015-11-13 17:10:36 +0000)
>
> are available in the git repository at:
>
>   git://github.com/otubo/qemu.git tags/pull-seccomp-20151116
>
> for you to fetch changes up to ba060c53d585d186ff0ac6b181f4b2a867acc210:
>
>   seccomp: loosen library version dependency (2015-11-16 09:49:47 +0100)
>
> ----------------------------------------------------------------
> seccomp branch queue
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM

[Qemu-devel] [PULL 00/03] seccomp branch queue

[Eduardo Otubo]

The following changes since commit c7b45f12828c1ba7105dbc029c63d7de68eaa91c:

  Merge remote-tracking branch 'remotes/armbru/tags/pull-backends-2016-04-15' into staging (2016-04-15 17:43:34 +0100)

are available in the git repository at:

  git://github.com/otubo/qemu.git tags/pull-seccomp-20160416

for you to fetch changes up to 8e08f8a4a7f613af65b29fcc3ac3bfc2a08a3343:

  seccomp: adding sysinfo system call to whitelist (2016-04-16 20:27:44 +0200)

----------------------------------------------------------------
seccomp branch queue

----------------------------------------------------------------
James Hogan (2):
      configure: Enable seccomp sandbox for MIPS
      seccomp: Whitelist cacheflush since 2.2.0 not 2.2.3

Miroslav Rezanina (1):
      seccomp: adding sysinfo system call to whitelist

 configure      | 3 +++
 qemu-seccomp.c | 9 ++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

-- 
2.1.4

[Qemu-devel] [PULL 01/03] configure: Enable seccomp sandbox for MIPS

[Eduardo Otubo]

From: James Hogan <james.hogan@imgtec.com>

Enable seccomp on MIPS since libseccomp version 2.2.0 when MIPS support
was first added.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Acked-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
---
 configure | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/configure b/configure
index 5db29f0..f1c307b 100755
--- a/configure
+++ b/configure
@@ -1872,6 +1872,9 @@ if test "$seccomp" != "no" ; then
     i386|x86_64)
         libseccomp_minver="2.1.0"
         ;;
+    mips)
+        libseccomp_minver="2.2.0"
+        ;;
     arm|aarch64)
         libseccomp_minver="2.2.3"
         ;;
-- 
2.1.4

[Qemu-devel] [PULL 02/03] seccomp: Whitelist cacheflush since 2.2.0 not 2.2.3

[Eduardo Otubo]

From: James Hogan <james.hogan@imgtec.com>

The cacheflush system call (found on MIPS and ARM) has been included in
the libseccomp header since 2.2.0, so include it back to that version.
Previously it was only enabled since 2.2.3 since that is when it was
enabled properly for ARM.

This will allow seccomp support to be enabled for MIPS back to
libseccomp 2.2.0.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-By: Andrew Jones <drjones@redhat.com>
Acked-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
---
 qemu-seccomp.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 2866e3c..138ee02 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -16,11 +16,13 @@
 #include <seccomp.h>
 #include "sysemu/seccomp.h"
 
+/* For some architectures (notably ARM) cacheflush is not supported until
+ * libseccomp 2.2.3, but configure enforces that we are using a more recent
+ * version on those hosts, so it is OK for this check to be less strict.
+ */
 #if SCMP_VER_MAJOR >= 3
   #define HAVE_CACHEFLUSH
-#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 3
-  #define HAVE_CACHEFLUSH
-#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 2 && SCMP_VER_MICRO >= 3
+#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 2
   #define HAVE_CACHEFLUSH
 #endif
 
-- 
2.1.4

[Qemu-devel] [PULL 03/03] seccomp: adding sysinfo system call to whitelist

[Eduardo Otubo]

From: Miroslav Rezanina <mrezanin@redhat.com>

Newer version of nss-softokn libraries (> 3.16.2.3) use sysinfo call
so qemu using rbd image hang after start when run in sandbox mode.

To allow using rbd images in sandbox mode we have to whitelist it.

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
Acked-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
---
 qemu-seccomp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 138ee02..cb569dc 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -252,6 +252,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
 #ifdef HAVE_CACHEFLUSH
     { SCMP_SYS(cacheflush), 240 },
 #endif
+    { SCMP_SYS(sysinfo), 240 },
 };
 
 int seccomp_start(void)
-- 
2.1.4

Re: [Qemu-devel] [PULL 00/03] seccomp branch queue

[Peter Maydell]

On 16 April 2016 at 20:04, Eduardo Otubo <eduardo.otubo@profitbricks.com> wrote:
> The following changes since commit c7b45f12828c1ba7105dbc029c63d7de68eaa91c:
>
>   Merge remote-tracking branch 'remotes/armbru/tags/pull-backends-2016-04-15' into staging (2016-04-15 17:43:34 +0100)
>
> are available in the git repository at:
>
>   git://github.com/otubo/qemu.git tags/pull-seccomp-20160416
>
> for you to fetch changes up to 8e08f8a4a7f613af65b29fcc3ac3bfc2a08a3343:
>
>   seccomp: adding sysinfo system call to whitelist (2016-04-16 20:27:44 +0200)
>
> ----------------------------------------------------------------
> seccomp branch queue
>
> ----------------------------------------------------------------
> James Hogan (2):
>       configure: Enable seccomp sandbox for MIPS
>       seccomp: Whitelist cacheflush since 2.2.0 not 2.2.3
>
> Miroslav Rezanina (1):
>       seccomp: adding sysinfo system call to whitelist
>
>  configure      | 3 +++
>  qemu-seccomp.c | 9 ++++++---
>  2 files changed, 9 insertions(+), 3 deletions(-)

Applied, thanks.

-- PMM