[libvirt] [PATCHv2 0/4] qemu: enable sandbox whitelist by default
Ján Tomko
jtomko at redhat.com
Tue Apr 10 14:49:38 UTC 2018
v1: https://www.redhat.com/archives/libvir-list/2018-March/msg01965.html
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
v2:
* also deny resource control
* split out and refactor the command line building
* be explicit about denying the obsolete syscalls
Ján Tomko (4):
Introduce QEMU_CAPS_SECCOMP_BLACKLIST
Introduce qemuBuildSeccompSandboxCommandLine
Refactor qemuBuildSeccompSandboxCommandLine
qemu: deny privilege elevation and spawn in seccomp
src/qemu/qemu.conf | 7 ++--
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 46 +++++++++++++++++-----
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
tests/qemuxml2argvdata/minimal-sandbox.args | 29 ++++++++++++++
tests/qemuxml2argvdata/minimal-sandbox.xml | 34 ++++++++++++++++
tests/qemuxml2argvtest.c | 11 ++++++
12 files changed, 123 insertions(+), 12 deletions(-)
create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml
--
2.16.1
More information about the libvir-list
mailing list