[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] qemu: clear seccomp capability if TSYNC is not supported by host


On Thu, Aug 30, 2018 at 2:25 PM, Ján Tomko <jtomko redhat com> wrote:
> On Thu, Aug 30, 2018 at 02:09:41PM +0200, marcandre lureau redhat com wrote:
>> From: Marc-André Lureau <marcandre lureau redhat com>
>> With qemu <= 3.0, when using "-seccomp on", the seccomp policy is only
>> applied to the main thread, the vcpu worker thread and other worker
>> threads created after seccomp policy is applied; the seccomp policy is
>> not applied to e.g. the RCU thread because it is created before the
>> seccomp policy is applied.
>> Since qemu commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114 "seccomp:
>> set the seccomp filter to all threads", qemu will require seccomp
>> TSYNC flag, and will fail to start if the flag isn't available.
>> Without it, sandboxing is flawed. Disable seccomp capability if the
>> host is not capable of using seccomp TSYNC.
> Is there a reason for qemu to advertise 'sandbox' in
> query-commandline-options if it's not usable?

I suppose qemu could probe for the host support, and remove the
-sandbox option if host is not capable.

The problem would remain for older versions of qemu though.

So maybe a better plan is to:
- remove sandbox capability if qemu <  3.1
- disable -sandbox in qemu if host doesn't support TSYNC

What do you think?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]