[libvirt PATCH 05/23] qemu: remove use of the term 'blacklist' in seccomp capability
Ján Tomko
jtomko at redhat.com
Fri Jun 19 12:33:54 UTC 2020
On a Friday in 2020, Daniel P. Berrangé wrote:
>On Fri, Jun 19, 2020 at 01:56:55PM +0200, Ján Tomko wrote:
>> On a Friday in 2020, Daniel P. Berrangé wrote:
>> > The concept we're really testing for is whether QEMU supports
>> > the seccomp syscall filter groups. We need to keep one place
>> > using the old term to deal with upgrades from existing hosts
>> > with running VMs.
>> >
>> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
>> > ---
>> > src/qemu/qemu.conf | 2 +-
>> > src/qemu/qemu_capabilities.c | 4 ++--
>> > src/qemu/qemu_capabilities.h | 2 +-
>> > src/qemu/qemu_command.c | 4 ++--
>> > src/qemu/qemu_domain.c | 10 +++++++---
>> > tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 2 +-
>> > tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 2 +-
>> > tests/qemustatusxml2xmldata/backup-pull-in.xml | 2 +-
>> > tests/qemustatusxml2xmldata/blockjob-blockdev-in.xml | 2 +-
>> > tests/qemuxml2argvtest.c | 2 +-
>> > 37 files changed, 45 insertions(+), 41 deletions(-)
>> >
>> > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>> > index f89dbd2c3a..99b9ce53e5 100644
>> > --- a/src/qemu/qemu.conf
>> > +++ b/src/qemu/qemu.conf
>> > @@ -704,7 +704,7 @@
>> > # If it is unset (or -1), then seccomp will be enabled
>> > # only if QEMU >= 2.11.0 is detected, otherwise it is
>> > # left disabled. This ensures the default config gets
>> > -# protection for new QEMU using the blacklist approach.
>> > +# protection for new QEMU with filter groups.
>> > #
>> > #seccomp_sandbox = 1
>> >
>> > diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
>> > index 68fcbd3c4f..310be800e2 100644
>> > --- a/src/qemu/qemu_capabilities.c
>> > +++ b/src/qemu/qemu_capabilities.c
>> > @@ -468,7 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
>> > /* 285 */
>> > "qcow2-luks",
>> > "pcie-pci-bridge",
>> > - "seccomp-blacklist",
>> > + "seccomp-filter-groups",
>> > "query-cpus-fast",
>> > "disk-write-cache",
>> >
>> > @@ -3292,7 +3292,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] = {
>> > { "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
>> > { "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
>> > { "sandbox", "enable", QEMU_CAPS_SECCOMP_SANDBOX },
>> > - { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
>> > + { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_FILTER_GROUPS },
>> > { "chardev", "fd", QEMU_CAPS_CHARDEV_FD_PASS },
>> > { "overcommit", NULL, QEMU_CAPS_OVERCOMMIT },
>> > { "smp-opts", "dies", QEMU_CAPS_SMP_DIES },
>> > diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
>> > index ad93816d41..0ee3e357cb 100644
>> > --- a/src/qemu/qemu_capabilities.h
>> > +++ b/src/qemu/qemu_capabilities.h
>> > @@ -448,7 +448,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */
>> > /* 285 */
>> > QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
>> > QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
>> > - QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
>> > + QEMU_CAPS_SECCOMP_FILTER_GROUPS, /* -sandbox.elevateprivileges */
>> > QEMU_CAPS_QUERY_CPUS_FAST, /* query-cpus-fast command */
>> > QEMU_CAPS_DISK_WRITE_CACHE, /* qemu block frontends support write-cache param */
>> >
>> > diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
>> > index f27246b4c6..37113a433a 100644
>> > --- a/src/qemu/qemu_command.c
>> > +++ b/src/qemu/qemu_command.c
>> > @@ -9517,8 +9517,8 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd,
>> > return 0;
>> > }
>> >
>> > - /* Use blacklist by default if supported */
>> > - if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
>> > + /* Block undesirable syscall groups by default if supported */
>> > + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_FILTER_GROUPS)) {
>>
>> While 'filter groups' describes the underlying QEMU functionality
>> better, we only use it to deny syscalls. So using 'blocklist' as
>> proposed in the RFC you linked would better show the contrast between
>> this and the old approach.
>
>I don't want to name it based on libvirt's /current/ usage, as we
>could alter that usage in future, hence naming it based on the QEMU
>conceptual feature.
>
>> > virCommandAddArgList(cmd, "-sandbox",
>> > "on,obsolete=deny,elevateprivileges=deny,"
>> > "spawn=deny,resourcecontrol=deny",
>> > diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
>> > index 72874ee4fd..56ec5c0352 100644
>> > --- a/src/qemu/qemu_domain.c
>> > +++ b/src/qemu/qemu_domain.c
>> > @@ -3851,9 +3851,13 @@ qemuDomainObjPrivateXMLParse(xmlXPathContextPtr ctxt,
>> > if (str) {
>> > int flag = virQEMUCapsTypeFromString(str);
>> > if (flag < 0) {
>> > - virReportError(VIR_ERR_INTERNAL_ERROR,
>> > - _("Unknown qemu capabilities flag %s"), str);
>> > - goto error;
>> > + if (g_str_equal(str, "seccomp-blacklist")) {
>> > + flag = QEMU_CAPS_SECCOMP_FILTER_GROUPS;
>>
>> I'd just leave the XML as-is, to avoid introducing this special-casing.
>
>Renaming the capability lets us eliminate this from all the capabilities
>test data files we have (and the ones we cointinue to add in future), so
>I think it is a net win to just have this 2 line special case.
>
Sigh,
Jano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200619/d0082a24/attachment-0001.sig>
More information about the libvir-list
mailing list