qemu: add capability flag for seccomp sandbox

This series adds support to run QEMU with seccomp sandbox enabled. It can be configured in qemu.conf to on, off, or the QEMU default, which is off in 1.2. Default value is the QEMU default.
2024-07-11 12:25:52 +00:00 · 2012-09-18 15:24:51 +08:00 · 2012-09-18 15:24:51 +08:00 · ede22e58ff
commit ede22e58ff
parent 1020a5041b
2 changed files with 4 additions and 0 deletions
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@ -179,6 +179,7 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
              "usb-redir.filter",
              "ide-drive.wwn",
              "scsi-disk.wwn",
+              "seccomp-sandbox",
    );

 struct _qemuCaps {
@ -1199,6 +1200,8 @@ qemuCapsComputeCmdFlags(const char *help,
    }
    if (strstr(help, "-smbios type"))
        qemuCapsSet(caps, QEMU_CAPS_SMBIOS_TYPE);
+    if (strstr(help, "-sandbox"))
+        qemuCapsSet(caps, QEMU_CAPS_SECCOMP_SANDBOX);

    if ((netdev = strstr(help, "-netdev"))) {
        /* Disable -netdev on 0.12 since although it exists,
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@ -144,6 +144,7 @@ enum qemuCapsFlags {
    QEMU_CAPS_USB_REDIR_FILTER   = 106, /* usb-redir.filter */
    QEMU_CAPS_IDE_DRIVE_WWN      = 107, /* Is ide-drive.wwn available? */
    QEMU_CAPS_SCSI_DISK_WWN      = 108, /* Is scsi-disk.wwn available? */
+    QEMU_CAPS_SECCOMP_SANDBOX    = 109, /* -sandbox */

    QEMU_CAPS_LAST,                   /* this must always be the last item */
 };