[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist |
Date: |
Thu, 29 Aug 2013 10:56:44 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 |
Il 29/08/2013 10:34, Stefan Hajnoczi ha scritto:
> On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
>> Now there's a second whitelist, right before the vcpu starts. The second
>> whitelist is the same as the first one, except for exec() and select().
>
> -netdev tap,downscript=/path/to/script requires exec() in the QEMU
> shutdown code path. Will this work with seccomp?
It won't by design (seccomp is supposed to run with file descriptor
passing).
However, removing select() seems a bit risky. We cannot exclude that
external libraries are not using it instead of, say, poll.
BTW, recent QEMU is using ppoll instead of poll; does the whitelist
require an update?
Paolo