qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by defau


From: Eduardo Otubo
Subject: Re: [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by default
Date: Wed, 23 Oct 2013 12:42:34 -0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130912 Thunderbird/17.0.9



On 10/22/2013 11:00 AM, Anthony Liguori wrote:
On Tue, Oct 22, 2013 at 12:21 PM, Eduardo Otubo
<address@hidden> wrote:
Inverting the way sandbox handles arguments, making possible to have no
argument and still have '-sandbox on' enabled.

Signed-off-by: Eduardo Otubo <address@hidden>
---

The option '-sandbox on' is now used by default by virt-test[0] -- it has been
merged into the 'next' branch and will be available in the next release,
meaning we have a back support for regression tests if anything breaks because
of some missing system call not listed in the whitelist.

This being said, I think it makes sense to have this option set to 'on' by
default in the next Qemu version. It's been a while since no missing syscall is
reported and at this point the whitelist seems to be pretty mature.

[0] - 
https://github.com/autotest/virt-test/commit/50e1f7d47a94f4c770880cd8ec0f18365dcba714

This breaks hot_add of a network device that uses a script= argument, correct?

If so, this cannot be made default.

Anthony, I believe you're talking about the blacklist feature. This is the old whitelist that is already upstream and it does not block any network device to be hot plugged.


Regards,

Anthony Liguori


  qemu-options.hx |  4 ++--
  vl.c            | 47 ++++++++++++++++++++++++++++-------------------
  2 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index 5dc8b75..315a86d 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2982,13 +2982,13 @@ Old param mode (ARM only).
  ETEXI

  DEF("sandbox", HAS_ARG, QEMU_OPTION_sandbox, \
-    "-sandbox <arg>  Enable seccomp mode 2 system call filter (default 
'off').\n",
+    "-sandbox <arg>  Enable seccomp mode 2 system call filter (default 
'on').\n",
      QEMU_ARCH_ALL)
  STEXI
  @item -sandbox @var{arg}
  @findex -sandbox
  Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering 
and 'off' will
-disable it.  The default is 'off'.
+disable it.  The default is 'on'.
  ETEXI

  DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig,
diff --git a/vl.c b/vl.c
index b42ac67..ae3bdc9 100644
--- a/vl.c
+++ b/vl.c
@@ -529,6 +529,20 @@ static QemuOptsList qemu_msg_opts = {
      },
  };

+static QemuOpts *qemu_get_sandbox_opts(void)
+{
+    QemuOptsList *list;
+    QemuOpts *opts;
+
+    list = qemu_find_opts("sandbox");
+    assert(list);
+    opts = qemu_opts_find(list, NULL);
+    if (!opts) {
+        opts = qemu_opts_create_nofail(list);
+    }
+    return opts;
+}
+
  /**
   * Get machine options
   *
@@ -960,24 +974,9 @@ static int bt_parse(const char *opt)
      return 1;
  }

-static int parse_sandbox(QemuOpts *opts, void *opaque)
+static bool sandbox_enabled(bool default_usb)
  {
-    /* FIXME: change this to true for 1.3 */
-    if (qemu_opt_get_bool(opts, "enable", false)) {
-#ifdef CONFIG_SECCOMP
-        if (seccomp_start() < 0) {
-            qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                          "failed to install seccomp syscall filter in the 
kernel");
-            return -1;
-        }
-#else
-        qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                      "sandboxing request but seccomp is not compiled into this 
build");
-        return -1;
-#endif
-    }
-
-    return 0;
+    return qemu_opt_get_bool(qemu_get_sandbox_opts(), "sandbox", default_usb);
  }

  bool usb_enabled(bool default_usb)
@@ -3806,8 +3805,18 @@ int main(int argc, char **argv, char **envp)
          exit(1);
      }

-    if (qemu_opts_foreach(qemu_find_opts("sandbox"), parse_sandbox, NULL, 0)) {
-        exit(1);
+    if (sandbox_enabled(true)) {
+#ifdef CONFIG_SECCOMP
+        if (seccomp_start() < 0) {
+            qerror_report(ERROR_CLASS_GENERIC_ERROR,
+                          "failed to install seccomp syscall filter in the 
kernel");
+            return -1;
+        }
+#else
+        qerror_report(ERROR_CLASS_GENERIC_ERROR,
+                      "sandboxing request but seccomp is not compiled into this 
build");
+        return -1;
+#endif
      }

  #ifndef _WIN32
--
1.8.3.1



--
Eduardo Otubo
IBM Linux Technology Center




reply via email to

[Prev in Thread] Current Thread [Next in Thread]