[libvirt] [PATCHv3 0/4] qemu: Add seccomp sandbox support

Daniel Veillard veillard at redhat.com
Tue Sep 18 07:46:10 UTC 2012 

On Mon, Sep 17, 2012 at 09:59:51AM +0200, Ján Tomko wrote:
> This series adds support to run QEMU with seccomp sandbox enabled. It can be
> configured in qemu.conf to on, off, or the QEMU default, which is off in 1.2.
> Default value is the QEMU default.
> 
> V1 of the patches supports tri-state configuration and includes a test for
> detecting the capability.
> 
> V2 includes libvirtd_qemu.aug, renames vague 'sandbox' to 'seccompSandbox'
> and prints an error if the sandbox was requested but QEMU doesn't have the
> capability.
> 
> V3 is a rebase, needed after the addition of usb-redir.filter and the change
> of virBitmapPtr to qemuCapsPtr.
> 
> Ján Tomko (4):
>   qemu: add capability flag for seccomp sandbox
>   qemu: conf: add seccomp_sandbox option
>   qemu: add -sandbox to command line if requested
>   tests: add qemu-1.2.0 help data
> 
>  src/qemu/libvirtd_qemu.aug           |    1 +
>  src/qemu/qemu.conf                   |    8 +
>  src/qemu/qemu_capabilities.c         |    3 +
>  src/qemu/qemu_capabilities.h         |    1 +
>  src/qemu/qemu_command.c              |   11 ++
>  src/qemu/qemu_conf.c                 |    5 +
>  src/qemu/qemu_conf.h                 |    1 +
>  tests/qemuhelpdata/qemu-1.2.0        |  270 ++++++++++++++++++++++++++++++++++
>  tests/qemuhelpdata/qemu-1.2.0-device |  181 +++++++++++++++++++++++
>  tests/qemuhelptest.c                 |   82 ++++++++++
>  10 files changed, 563 insertions(+), 0 deletions(-)
>  create mode 100644 tests/qemuhelpdata/qemu-1.2.0
>  create mode 100644 tests/qemuhelpdata/qemu-1.2.0-device

  Okay, ACK, I pushed that set, though I had to solve some trivial
conflict with Osier's patches on capabilities. i also had to add
the following for the 4th patch as Osier's patch leads to an
extra capability being detected for 1.2

   thanks !

Daniel

diff --git a/tests/qemuhelptest.c b/tests/qemuhelptest.c
index be07bc3..5c6ecd5 100644
--- a/tests/qemuhelptest.c
+++ b/tests/qemuhelptest.c
@@ -845,6 +845,7 @@ mymain(void)
             QEMU_CAPS_SCSI_LSI,
             QEMU_CAPS_VIRTIO_SCSI_PCI,
             QEMU_CAPS_BLOCKIO,
+	    QEMU_CAPS_SCSI_DISK_WWN,
             QEMU_CAPS_SECCOMP_SANDBOX);
 
     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the libvir-list mailing list