From: Yi Min Zhao <zyimin@linux.ibm.com>
To: "Ján Tomko" <jtomko@redhat.com>
Cc: otubo@redhat.com, fiuczy@linux.ibm.com, qemu-devel@nongnu.org,
borntraeger@de.ibm.com, jferlan@redhat.com, pbonzini@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3] sandbox: disable -sandbox if CONFIG_SECCOMP undefined
Date: Tue, 29 May 2018 17:01:46 +0800 [thread overview]
Message-ID: <b41a7ff8-2705-e065-4a1c-ecfa117a6978@linux.ibm.com> (raw)
In-Reply-To: <20180529084021.GC31560@dnr>
在 2018/5/29 下午4:40, Ján Tomko 写道:
> On Tue, May 29, 2018 at 03:31:40PM +0800, Yi Min Zhao wrote:
>> If CONFIG_SECCOMP is undefined, the option 'elevateprivileges' remains
>> compiled. This would make libvirt set the corresponding capability and
>> then trigger failure during guest startup. This patch moves the code
>> regarding seccomp command line options to qemu-seccomp.c file and
>> wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP.
>> Because parse_sandbox() is moved into qemu-seccomp.c file, change
>> seccomp_start() to static function.
>>
>> Signed-off-by: Yi Min Zhao <zyimin@linux.ibm.com>
>> ---
>> 1. Problem Description
>> ======================
>> If QEMU is built without seccomp support, 'elevateprivileges' remains
>> compiled.
>> This option of sandbox is treated as an indication for seccomp
>> blacklist support
>> in libvirt. This behavior is introduced by the libvirt commits
>> 31ca6a5 and
>> 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the
>> guest
>> startup would fail.
>>
>> 2. Libvirt Log
>> ==============
>> qemu-system-s390x: -sandbox
>> on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
>> resourcecontrol=deny: seccomp support is disabled
>>
>> 3. Fixup
>> ========
>> Move the code related ot sandbox to qemu-seccomp.c file and wrap them
>> with
>> CONFIG_SECCOMP. So compile the code related to sandbox only when
>> CONFIG_SECCOMP is defined.
>> ---
>> include/sysemu/seccomp.h | 3 +-
>> qemu-seccomp.c | 121
>> ++++++++++++++++++++++++++++++++++++++++++++++-
>> vl.c | 118
>> +--------------------------------------------
>> 3 files changed, 124 insertions(+), 118 deletions(-)
>>
>
> Reviewed-by: Ján Tomko <jtomko@redhat.com>
> Tested-by: Ján Tomko <jtomko@redhat.com>
>
> Jano
Thanks very much!
next prev parent reply other threads:[~2018-05-29 9:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 7:31 [Qemu-devel] [PATCH v3] sandbox: disable -sandbox if CONFIG_SECCOMP undefined Yi Min Zhao
2018-05-29 8:40 ` Ján Tomko
2018-05-29 9:01 ` Yi Min Zhao [this message]
2018-05-29 9:37 ` Paolo Bonzini
2018-05-29 9:45 ` Yi Min Zhao
2018-05-29 10:05 ` Yi Min Zhao
2018-05-30 10:54 ` Eduardo Otubo
2018-05-31 3:20 ` Yi Min Zhao
2018-05-31 3:24 ` Yi Min Zhao
2018-05-29 9:39 ` Eduardo Otubo
2018-05-29 9:53 ` Yi Min Zhao
2018-05-29 10:14 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b41a7ff8-2705-e065-4a1c-ecfa117a6978@linux.ibm.com \
--to=zyimin@linux.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=fiuczy@linux.ibm.com \
--cc=jferlan@redhat.com \
--cc=jtomko@redhat.com \
--cc=otubo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).