mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
Introduce QEMU_CAPS_SECCOMP_BLACKLIST
QEMU commit 1bd6152 changed the default behavior from whitelist to blacklist and introduced a few sets of system calls. Use the 'elevateprivileges' parameter of -sandbox as a witness of this change. https://bugzilla.redhat.com/show_bug.cgi?id=1492597 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
88fe165e14
commit
31ca6a542e
@ -468,6 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
|
|||||||
"virtio-tablet-ccw",
|
"virtio-tablet-ccw",
|
||||||
"qcow2-luks",
|
"qcow2-luks",
|
||||||
"pcie-pci-bridge",
|
"pcie-pci-bridge",
|
||||||
|
"seccomp-blacklist",
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
||||||
@ -2419,6 +2420,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] = {
|
|||||||
{ "machine", "loadparm", QEMU_CAPS_LOADPARM },
|
{ "machine", "loadparm", QEMU_CAPS_LOADPARM },
|
||||||
{ "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
|
{ "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
|
||||||
{ "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
|
{ "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
|
||||||
|
{ "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
|
||||||
};
|
};
|
||||||
|
|
||||||
static int
|
static int
|
||||||
|
@ -452,6 +452,7 @@ typedef enum {
|
|||||||
QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */
|
QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */
|
||||||
QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
|
QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
|
||||||
QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
|
QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
|
||||||
|
QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
|
||||||
|
|
||||||
QEMU_CAPS_LAST /* this must always be the last item */
|
QEMU_CAPS_LAST /* this must always be the last item */
|
||||||
} virQEMUCapsFlags;
|
} virQEMUCapsFlags;
|
||||||
|
@ -116,6 +116,7 @@
|
|||||||
<flag name='virtio-mouse-ccw'/>
|
<flag name='virtio-mouse-ccw'/>
|
||||||
<flag name='virtio-tablet-ccw'/>
|
<flag name='virtio-tablet-ccw'/>
|
||||||
<flag name='qcow2-luks'/>
|
<flag name='qcow2-luks'/>
|
||||||
|
<flag name='seccomp-blacklist'/>
|
||||||
<version>2011000</version>
|
<version>2011000</version>
|
||||||
<kvmVersion>0</kvmVersion>
|
<kvmVersion>0</kvmVersion>
|
||||||
<microcodeVersion>342058</microcodeVersion>
|
<microcodeVersion>342058</microcodeVersion>
|
||||||
|
@ -154,6 +154,7 @@
|
|||||||
<flag name='dump-completed'/>
|
<flag name='dump-completed'/>
|
||||||
<flag name='qcow2-luks'/>
|
<flag name='qcow2-luks'/>
|
||||||
<flag name='pcie-pci-bridge'/>
|
<flag name='pcie-pci-bridge'/>
|
||||||
|
<flag name='seccomp-blacklist'/>
|
||||||
<version>2011090</version>
|
<version>2011090</version>
|
||||||
<kvmVersion>0</kvmVersion>
|
<kvmVersion>0</kvmVersion>
|
||||||
<microcodeVersion>342346</microcodeVersion>
|
<microcodeVersion>342346</microcodeVersion>
|
||||||
|
@ -151,6 +151,7 @@
|
|||||||
<flag name='machine.pseries.max-cpu-compat'/>
|
<flag name='machine.pseries.max-cpu-compat'/>
|
||||||
<flag name='dump-completed'/>
|
<flag name='dump-completed'/>
|
||||||
<flag name='qcow2-luks'/>
|
<flag name='qcow2-luks'/>
|
||||||
|
<flag name='seccomp-blacklist'/>
|
||||||
<version>2011090</version>
|
<version>2011090</version>
|
||||||
<kvmVersion>0</kvmVersion>
|
<kvmVersion>0</kvmVersion>
|
||||||
<microcodeVersion>419215</microcodeVersion>
|
<microcodeVersion>419215</microcodeVersion>
|
||||||
|
@ -116,6 +116,7 @@
|
|||||||
<flag name='virtio-mouse-ccw'/>
|
<flag name='virtio-mouse-ccw'/>
|
||||||
<flag name='virtio-tablet-ccw'/>
|
<flag name='virtio-tablet-ccw'/>
|
||||||
<flag name='qcow2-luks'/>
|
<flag name='qcow2-luks'/>
|
||||||
|
<flag name='seccomp-blacklist'/>
|
||||||
<version>2011090</version>
|
<version>2011090</version>
|
||||||
<kvmVersion>0</kvmVersion>
|
<kvmVersion>0</kvmVersion>
|
||||||
<microcodeVersion>0</microcodeVersion>
|
<microcodeVersion>0</microcodeVersion>
|
||||||
|
@ -192,6 +192,7 @@
|
|||||||
<flag name='dump-completed'/>
|
<flag name='dump-completed'/>
|
||||||
<flag name='qcow2-luks'/>
|
<flag name='qcow2-luks'/>
|
||||||
<flag name='pcie-pci-bridge'/>
|
<flag name='pcie-pci-bridge'/>
|
||||||
|
<flag name='seccomp-blacklist'/>
|
||||||
<version>2011090</version>
|
<version>2011090</version>
|
||||||
<kvmVersion>0</kvmVersion>
|
<kvmVersion>0</kvmVersion>
|
||||||
<microcodeVersion>390060</microcodeVersion>
|
<microcodeVersion>390060</microcodeVersion>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user