[libvirt] [PATCHv2 0/4] qemu: enable sandbox whitelist by default

Ján Tomko jtomko at redhat.com
Tue Apr 10 14:49:38 UTC 2018


v1: https://www.redhat.com/archives/libvir-list/2018-March/msg01965.html
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
v2:
* also deny resource control
* split out and refactor the command line building
* be explicit about denying the obsolete syscalls

Ján Tomko (4):
  Introduce QEMU_CAPS_SECCOMP_BLACKLIST
  Introduce qemuBuildSeccompSandboxCommandLine
  Refactor qemuBuildSeccompSandboxCommandLine
  qemu: deny privilege elevation and spawn in seccomp

 src/qemu/qemu.conf                                 |  7 ++--
 src/qemu/qemu_capabilities.c                       |  2 +
 src/qemu/qemu_capabilities.h                       |  1 +
 src/qemu/qemu_command.c                            | 46 +++++++++++++++++-----
 tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |  1 +
 tests/qemuxml2argvdata/minimal-sandbox.args        | 29 ++++++++++++++
 tests/qemuxml2argvdata/minimal-sandbox.xml         | 34 ++++++++++++++++
 tests/qemuxml2argvtest.c                           | 11 ++++++
 12 files changed, 123 insertions(+), 12 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml

-- 
2.16.1




More information about the libvir-list mailing list