[libvirt] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest
Eduardo Otubo
otubo at redhat.com
Mon May 7 10:33:20 UTC 2018
On 07/05/2018 - 11:29:57, Christian Borntraeger wrote:
> On 05/07/2018 05:32 AM, Yi Min Zhao wrote:
> > 1. Problem Description
> > ======================
> > If QEMU is built without seccomp support, 'elevatorprivileges' remains compiled.
> > This option of sandbox is treated as an indication for seccomp blacklist support
> > in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and
> > 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest
> > startup would fail.
>
> Adding libvirt list.
>
> This would still fail with older QEMUs, so the question is if we should also OR instead
> change something in libvirt.
Perhaps I'm missing something here, but libvirt can differentiate between
different versions of QEMU, therefore not calling it with wrong or outdated
arguments.
>
> >
> > 2. Libvirt Log
> > ==============
> > qemu-system-s390x: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> > resourcecontrol=deny: seccomp support is disabled
> >
> > 3. Fixup
> > ========
> > Wrap the options except 'enable' for qemu_sandbox_opts by CONFIG_SECCOMP.
> >
> > Yi Min Zhao (1):
> > sandbox: avoid to compile options if CONFIG_SECCOMP undefined
> >
> > vl.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
>
--
Eduardo Otubo
More information about the libvir-list
mailing list