External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

Introduce QEMU_CAPS_SECCOMP_BLACKLIST

Browse Source 
QEMU commit 1bd6152 changed the default behavior from whitelist
to blacklist and introduced a few sets of system calls.

Use the 'elevateprivileges' parameter of -sandbox as a witness
of this change.

https://bugzilla.redhat.com/show_bug.cgi?id=1492597

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Ján Tomko 2018-03-31 22:15:02 +02:00
parent 88fe165e14
commit 31ca6a542e
7 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/qemu/qemu_capabilities.c
View File

@ -468,6 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
"virtio-tablet-ccw", "virtio-tablet-ccw",
"qcow2-luks", "qcow2-luks",
"pcie-pci-bridge", "pcie-pci-bridge",
"seccomp-blacklist",
); );
@ -2419,6 +2420,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] = {
{ "machine", "loadparm", QEMU_CAPS_LOADPARM }, { "machine", "loadparm", QEMU_CAPS_LOADPARM },
{ "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS }, { "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
{ "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT }, { "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
{ "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
}; };
static int static int

1
src/qemu/qemu_capabilities.h
View File

@ -452,6 +452,7 @@ typedef enum {
QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */ QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */
QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */ QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */ QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
QEMU_CAPS_LAST /* this must always be the last item */ QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags; } virQEMUCapsFlags;

1
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
View File

@ -116,6 +116,7 @@
<flag name='virtio-mouse-ccw'/> <flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/> <flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/> <flag name='qcow2-luks'/>
<flag name='seccomp-blacklist'/>
<version>2011000</version> <version>2011000</version>
<kvmVersion>0</kvmVersion> <kvmVersion>0</kvmVersion>
<microcodeVersion>342058</microcodeVersion> <microcodeVersion>342058</microcodeVersion>

1
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
View File

@ -154,6 +154,7 @@
<flag name='dump-completed'/> <flag name='dump-completed'/>
<flag name='qcow2-luks'/> <flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/> <flag name='pcie-pci-bridge'/>
<flag name='seccomp-blacklist'/>
<version>2011090</version> <version>2011090</version>
<kvmVersion>0</kvmVersion> <kvmVersion>0</kvmVersion>
<microcodeVersion>342346</microcodeVersion> <microcodeVersion>342346</microcodeVersion>

1
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
View File

@ -151,6 +151,7 @@
<flag name='machine.pseries.max-cpu-compat'/> <flag name='machine.pseries.max-cpu-compat'/>
<flag name='dump-completed'/> <flag name='dump-completed'/>
<flag name='qcow2-luks'/> <flag name='qcow2-luks'/>
<flag name='seccomp-blacklist'/>
<version>2011090</version> <version>2011090</version>
<kvmVersion>0</kvmVersion> <kvmVersion>0</kvmVersion>
<microcodeVersion>419215</microcodeVersion> <microcodeVersion>419215</microcodeVersion>

1
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
View File

@ -116,6 +116,7 @@
<flag name='virtio-mouse-ccw'/> <flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/> <flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/> <flag name='qcow2-luks'/>
<flag name='seccomp-blacklist'/>
<version>2011090</version> <version>2011090</version>
<kvmVersion>0</kvmVersion> <kvmVersion>0</kvmVersion>
<microcodeVersion>0</microcodeVersion> <microcodeVersion>0</microcodeVersion>

1
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
View File

@ -192,6 +192,7 @@
<flag name='dump-completed'/> <flag name='dump-completed'/>
<flag name='qcow2-luks'/> <flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/> <flag name='pcie-pci-bridge'/>
<flag name='seccomp-blacklist'/>
<version>2011090</version> <version>2011090</version>
<kvmVersion>0</kvmVersion> <kvmVersion>0</kvmVersion>
<microcodeVersion>390060</microcodeVersion> <microcodeVersion>390060</microcodeVersion>