[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to comman
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line |
Date: |
Wed, 2 Aug 2017 13:38:58 +0100 |
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Wed, Aug 02, 2017 at 01:33:56PM +0100, Daniel P. Berrange wrote:
> On Fri, Jul 28, 2017 at 02:10:36PM +0200, Eduardo Otubo wrote:
> > This patch introduces the argument [,obsolete=allow] to the `-sandbox on'
> > option. It allows Qemu to run safely on old system that still relies on
> > old system calls.
> >
> > Signed-off-by: Eduardo Otubo <address@hidden>
> > ---
> > include/sysemu/seccomp.h | 4 +++-
> > qemu-options.hx | 9 +++++++--
> > qemu-seccomp.c | 32 +++++++++++++++++++++++++++++++-
> > vl.c | 16 +++++++++++++++-
> > 4 files changed, 56 insertions(+), 5 deletions(-)
> > @@ -1032,7 +1036,17 @@ static int parse_sandbox(void *opaque, QemuOpts
> > *opts, Error **errp)
> > {
> > if (qemu_opt_get_bool(opts, "enable", false)) {
> > #ifdef CONFIG_SECCOMP
> > - if (seccomp_start() < 0) {
> > + uint8_t seccomp_opts = 0x0000;
> > + const char *value = NULL;
> > +
> > + value = qemu_opt_get(opts, "obsolete");
> > + if (value) {
> > + if (strcmp(value, "allow") == 0) {
> > + seccomp_opts |= OBSOLETE;
> > + }
> > + }
>
> IIUC, the values will all be booleans, so we should just use
>
> if (qemu_opt_get_bool(opts, "obsolete", false))
> seccomp_opts |= OBSOLETE;
Oh ignore this. I see from the next patch, we can't treat it as a boolean.
We should however explicitly look for 'value == deny', and then reject
all other values with an error message
>
> > +
> > + if (seccomp_start(seccomp_opts) < 0) {
> > error_report("failed to install seccomp syscall filter "
> > "in the kernel");
> > return -1;
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|