From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: pmoore@redhat.com, blauwirbel@gmail.com, anthony@codemonkey.ws,
wad@chromium.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCHv4 1/4] Adding support for libseccomp in configure and Makefile
Date: Tue, 17 Jul 2012 16:19:12 -0300 [thread overview]
Message-ID: <fb8c02d8c93b599bbd2ce12d01efe4d3cc75ebf9.1342552002.git.otubo@linux.vnet.ibm.com> (raw)
In-Reply-To: <cover.1342552002.git.otubo@linux.vnet.ibm.com>
In-Reply-To: <cover.1342552002.git.otubo@linux.vnet.ibm.com>
Adding basic options to the configure script to use libseccomp or not.
The default is set to 'no'. If the flag --enable-libseccomp is used, the
script will check for its existence using pkg-config.
v2:
* As I removed all the code related to seccomp from vl.c, I created
qemu-seccomp.[ch].
* Also making the configure script to add the specific line to
Makefile.obj in order to compile with appropriate support to seccomp.
v3:
* Removing the line from Makefile.obj and adding it to Makefile.objs.
* Marking libseccomp default option to 'yes' in the configure script.
v4:
* Now two new options added:
--enable-seccomp-debug
--disable-seccomp-debug
Enabling debug will cause libseccomp to be configured with
SCMP_ACT_TRAP. This will help users/developers to catch system calls
that were not previously whitelisted.
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
Makefile.objs | 10 ++++++++++
configure | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/Makefile.objs b/Makefile.objs
index 5ebbcfa..eb4efa3 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -96,6 +96,16 @@ common-obj-y += qemu-timer.o qemu-timer-common.o
common-obj-$(CONFIG_SLIRP) += slirp/
######################################################################
+# libseccomp
+ifeq ($(CONFIG_SECCOMP),y)
+common-obj-y += qemu-seccomp.o
+endif
+
+ifeq ($(CONFIG_SECCOMP_DEBUG),y)
+common-obj-y += qemu-seccomp-debug.o
+endif
+
+######################################################################
# libuser
user-obj-y =
diff --git a/configure b/configure
index 0a3896e..39ef457 100755
--- a/configure
+++ b/configure
@@ -195,6 +195,8 @@ zlib="yes"
guest_agent="yes"
libiscsi=""
coroutine=""
+seccomp="yes"
+seccomp_debug="no"
# parse CC options first
for opt do
@@ -824,6 +826,14 @@ for opt do
;;
--disable-guest-agent) guest_agent="no"
;;
+ --enable-seccomp-debug) seccomp_debug="yes"
+ ;;
+ --disable-seccomp-debug) seccomp_debug="no"
+ ;;
+ --enable-seccomp) seccomp="yes"
+ ;;
+ --disable-seccomp) seccomp="no"
+ ;;
*) echo "ERROR: unknown option $opt"; show_help="yes"
;;
esac
@@ -1108,6 +1118,10 @@ echo " --disable-usb-redir disable usb network redirection support"
echo " --enable-usb-redir enable usb network redirection support"
echo " --disable-guest-agent disable building of the QEMU Guest Agent"
echo " --enable-guest-agent enable building of the QEMU Guest Agent"
+echo " --disable-seccomp-debug disable seccomp debug support"
+echo " --enable-seccomp-debug enables seccomp debug support"
+echo " --disable-seccomp disable seccomp support"
+echo " --enable-seccomp enables seccomp support"
echo " --with-coroutine=BACKEND coroutine backend. Supported options:"
echo " gthread, ucontext, sigaltstack, windows"
echo ""
@@ -1369,6 +1383,16 @@ EOF
fi
##########################################
+# libseccomp check
+
+if test "$seccomp" = "yes" ; then
+ if $pkg_config libseccomp --modversion >/dev/null 2>&1; then
+ LIBS=`$pkg_config --libs libseccomp`
+ else
+ feature_not_found "libseccomp"
+ fi
+fi
+##########################################
# xen probe
if test "$xen" != "no" ; then
@@ -3053,6 +3077,8 @@ echo "usb net redir $usb_redir"
echo "OpenGL support $opengl"
echo "libiscsi support $libiscsi"
echo "build guest agent $guest_agent"
+echo "seccomp support $seccomp"
+echo "seccomp debug $seccomp_debug"
echo "coroutine backend $coroutine_backend"
if test "$sdl_too_old" = "yes"; then
@@ -3351,6 +3377,14 @@ if test "$libiscsi" = "yes" ; then
echo "CONFIG_LIBISCSI=y" >> $config_host_mak
fi
+if test "$seccomp" = "yes"; then
+ echo "CONFIG_SECCOMP=y" >> $config_host_mak
+fi
+
+if test "$seccomp_debug" = "yes"; then
+ echo "CONFIG_SECCOMP_DEBUG=y" >> $config_host_mak
+fi
+
# XXX: suppress that
if [ "$bsd" = "yes" ] ; then
echo "CONFIG_BSD=y" >> $config_host_mak
--
1.7.9.5
next prev parent reply other threads:[~2012-07-17 19:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-17 19:19 [Qemu-devel] [PATCHv4 0/4] Sandboxing Qemu guests with Libseccomp Eduardo Otubo
2012-07-17 19:19 ` Eduardo Otubo [this message]
2012-07-17 19:19 ` [Qemu-devel] [PATCHv4 2/4] Adding qemu-seccomp.[ch] Eduardo Otubo
2012-07-17 19:19 ` [Qemu-devel] [PATCHv4 3/4] Adding qemu-seccomp-debug.[ch] Eduardo Otubo
2012-07-17 19:19 ` [Qemu-devel] [PATCHv4 4/4] Adding seccomp calls to vl.c Eduardo Otubo
2012-07-23 12:59 ` [Qemu-devel] [PATCHv4 0/4] Sandboxing Qemu guests with Libseccomp Eduardo Otubo
2012-07-23 17:38 ` Blue Swirl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fb8c02d8c93b599bbd2ce12d01efe4d3cc75ebf9.1342552002.git.otubo@linux.vnet.ibm.com \
--to=otubo@linux.vnet.ibm.com \
--cc=anthony@codemonkey.ws \
--cc=blauwirbel@gmail.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).