[libvirt] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest
Christian Borntraeger
borntraeger at de.ibm.com
Mon May 7 09:29:57 UTC 2018
On 05/07/2018 05:32 AM, Yi Min Zhao wrote:
> 1. Problem Description
> ======================
> If QEMU is built without seccomp support, 'elevatorprivileges' remains compiled.
> This option of sandbox is treated as an indication for seccomp blacklist support
> in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and
> 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest
> startup would fail.
Adding libvirt list.
This would still fail with older QEMUs, so the question is if we should also OR instead
change something in libvirt.
>
> 2. Libvirt Log
> ==============
> qemu-system-s390x: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> resourcecontrol=deny: seccomp support is disabled
>
> 3. Fixup
> ========
> Wrap the options except 'enable' for qemu_sandbox_opts by CONFIG_SECCOMP.
>
> Yi Min Zhao (1):
> sandbox: avoid to compile options if CONFIG_SECCOMP undefined
>
> vl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
More information about the libvir-list
mailing list