Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/808628/?format=api
{ "id": 808628, "url": "http://patchwork.ozlabs.org/api/patches/808628/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-2-otubo@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170901105818.31956-2-otubo@redhat.com>", "list_archive_url": null, "date": "2017-09-01T10:58:13", "name": "[PATCHv4,1/6] seccomp: changing from whitelist to blacklist", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "38b60d7f03d7dc734aee89976d2c2a63b246e391", "submitter": { "id": 71779, "url": "http://patchwork.ozlabs.org/api/people/71779/?format=api", "name": "Eduardo Otubo", "email": "otubo@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-2-otubo@redhat.com/mbox/", "series": [ { "id": 999, "url": "http://patchwork.ozlabs.org/api/series/999/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=999", "date": "2017-09-01T10:58:12", "name": "seccomp: feature refactoring", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/999/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/808628/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/808628/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)", "ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com", "ext-mx04.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com" ], "Received": [ "from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xkGVp5F38z9s7p\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 1 Sep 2017 21:00:34 +1000 (AEST)", "from localhost ([::1]:35161 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dnjge-0001Bu-OI\n\tfor incoming@patchwork.ozlabs.org; Fri, 01 Sep 2017 07:00:32 -0400", "from eggs.gnu.org ([2001:4830:134:3::10]:51234)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjex-00006q-20\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:52 -0400", "from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjer-0001CM-3A\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:47 -0400", "from mx1.redhat.com ([209.132.183.28]:45752)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <otubo@redhat.com>) id 1dnjeq-0001Bz-RI\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:41 -0400", "from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id C17747EA87\n\tfor <qemu-devel@nongnu.org>; Fri, 1 Sep 2017 10:58:39 +0000 (UTC)", "from vader.redhat.com (ovpn-117-156.ams2.redhat.com\n\t[10.36.117.156])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id BFC917E8EB;\n\tFri, 1 Sep 2017 10:58:37 +0000 (UTC)" ], "DMARC-Filter": "OpenDMARC Filter v1.3.2 mx1.redhat.com C17747EA87", "From": "Eduardo Otubo <otubo@redhat.com>", "To": "qemu-devel@nongnu.org", "Date": "Fri, 1 Sep 2017 12:58:13 +0200", "Message-Id": "<20170901105818.31956-2-otubo@redhat.com>", "In-Reply-To": "<20170901105818.31956-1-otubo@redhat.com>", "References": "<20170901105818.31956-1-otubo@redhat.com>", "X-Scanned-By": "MIMEDefang 2.79 on 10.5.11.12", "X-Greylist": "Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.28]);\n\tFri, 01 Sep 2017 10:58:39 +0000 (UTC)", "X-detected-operating-system": "by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]", "X-Received-From": "209.132.183.28", "Subject": "[Qemu-devel] [PATCHv4 1/6] seccomp: changing from whitelist to\n\tblacklist", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.21", "Precedence": "list", "List-Id": "<qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<http://lists.nongnu.org/archive/html/qemu-devel/>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Cc": "thuth@redhat.com", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>" }, "content": "This patch changes the default behavior of the seccomp filter from\nwhitelist to blacklist. By default now all system calls are allowed and\na small black list of definitely forbidden ones was created.\n\nSigned-off-by: Eduardo Otubo <otubo@redhat.com>\n---\n include/sysemu/seccomp.h | 2 +\n qemu-seccomp.c | 264 ++++++-----------------------------------------\n vl.c | 1 -\n 3 files changed, 35 insertions(+), 232 deletions(-)", "diff": "diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\nindex cfc06008cb..23b9c3c789 100644\n--- a/include/sysemu/seccomp.h\n+++ b/include/sysemu/seccomp.h\n@@ -15,6 +15,8 @@\n #ifndef QEMU_SECCOMP_H\n #define QEMU_SECCOMP_H\n \n+#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n+\n #include <seccomp.h>\n \n int seccomp_start(void);\ndiff --git a/qemu-seccomp.c b/qemu-seccomp.c\nindex df75d9c471..585de42a97 100644\n--- a/qemu-seccomp.c\n+++ b/qemu-seccomp.c\n@@ -28,232 +28,34 @@\n \n struct QemuSeccompSyscall {\n int32_t num;\n- uint8_t priority;\n+ int type;\n+ uint8_t set;\n };\n \n-static const struct QemuSeccompSyscall seccomp_whitelist[] = {\n- { SCMP_SYS(timer_settime), 255 },\n- { SCMP_SYS(timer_gettime), 254 },\n- { SCMP_SYS(futex), 253 },\n- { SCMP_SYS(select), 252 },\n- { SCMP_SYS(recvfrom), 251 },\n- { SCMP_SYS(sendto), 250 },\n- { SCMP_SYS(socketcall), 250 },\n- { SCMP_SYS(read), 249 },\n- { SCMP_SYS(io_submit), 249 },\n- { SCMP_SYS(brk), 248 },\n- { SCMP_SYS(clone), 247 },\n- { SCMP_SYS(mmap), 247 },\n- { SCMP_SYS(mprotect), 246 },\n- { SCMP_SYS(execve), 245 },\n- { SCMP_SYS(open), 245 },\n- { SCMP_SYS(ioctl), 245 },\n- { SCMP_SYS(socket), 245 },\n- { SCMP_SYS(setsockopt), 245 },\n- { SCMP_SYS(recvmsg), 245 },\n- { SCMP_SYS(sendmsg), 245 },\n- { SCMP_SYS(accept), 245 },\n- { SCMP_SYS(connect), 245 },\n- { SCMP_SYS(socketpair), 245 },\n- { SCMP_SYS(bind), 245 },\n- { SCMP_SYS(listen), 245 },\n- { SCMP_SYS(semget), 245 },\n- { SCMP_SYS(ipc), 245 },\n- { SCMP_SYS(gettimeofday), 245 },\n- { SCMP_SYS(readlink), 245 },\n- { SCMP_SYS(access), 245 },\n- { SCMP_SYS(prctl), 245 },\n- { SCMP_SYS(signalfd), 245 },\n- { SCMP_SYS(getrlimit), 245 },\n- { SCMP_SYS(getrusage), 245 },\n- { SCMP_SYS(set_tid_address), 245 },\n- { SCMP_SYS(statfs), 245 },\n- { SCMP_SYS(unlink), 245 },\n- { SCMP_SYS(wait4), 245 },\n- { SCMP_SYS(fcntl64), 245 },\n- { SCMP_SYS(fstat64), 245 },\n- { SCMP_SYS(stat64), 245 },\n- { SCMP_SYS(getgid32), 245 },\n- { SCMP_SYS(getegid32), 245 },\n- { SCMP_SYS(getuid32), 245 },\n- { SCMP_SYS(geteuid32), 245 },\n- { SCMP_SYS(sigreturn), 245 },\n- { SCMP_SYS(_newselect), 245 },\n- { SCMP_SYS(_llseek), 245 },\n- { SCMP_SYS(mmap2), 245 },\n- { SCMP_SYS(sigprocmask), 245 },\n- { SCMP_SYS(sched_getparam), 245 },\n- { SCMP_SYS(sched_getscheduler), 245 },\n- { SCMP_SYS(fstat), 245 },\n- { SCMP_SYS(clock_getres), 245 },\n- { SCMP_SYS(sched_get_priority_min), 245 },\n- { SCMP_SYS(sched_get_priority_max), 245 },\n- { SCMP_SYS(stat), 245 },\n- { SCMP_SYS(uname), 245 },\n- { SCMP_SYS(eventfd2), 245 },\n- { SCMP_SYS(io_getevents), 245 },\n- { SCMP_SYS(dup), 245 },\n- { SCMP_SYS(dup2), 245 },\n- { SCMP_SYS(dup3), 245 },\n- { SCMP_SYS(gettid), 245 },\n- { SCMP_SYS(getgid), 245 },\n- { SCMP_SYS(getegid), 245 },\n- { SCMP_SYS(getuid), 245 },\n- { SCMP_SYS(geteuid), 245 },\n- { SCMP_SYS(timer_create), 245 },\n- { SCMP_SYS(times), 245 },\n- { SCMP_SYS(exit), 245 },\n- { SCMP_SYS(clock_gettime), 245 },\n- { SCMP_SYS(time), 245 },\n- { SCMP_SYS(restart_syscall), 245 },\n- { SCMP_SYS(pwrite64), 245 },\n- { SCMP_SYS(nanosleep), 245 },\n- { SCMP_SYS(chown), 245 },\n- { SCMP_SYS(openat), 245 },\n- { SCMP_SYS(getdents), 245 },\n- { SCMP_SYS(timer_delete), 245 },\n- { SCMP_SYS(exit_group), 245 },\n- { SCMP_SYS(rt_sigreturn), 245 },\n- { SCMP_SYS(sync), 245 },\n- { SCMP_SYS(pread64), 245 },\n- { SCMP_SYS(madvise), 245 },\n- { SCMP_SYS(set_robust_list), 245 },\n- { SCMP_SYS(lseek), 245 },\n- { SCMP_SYS(pselect6), 245 },\n- { SCMP_SYS(fork), 245 },\n- { SCMP_SYS(rt_sigprocmask), 245 },\n- { SCMP_SYS(write), 244 },\n- { SCMP_SYS(fcntl), 243 },\n- { SCMP_SYS(tgkill), 242 },\n- { SCMP_SYS(kill), 242 },\n- { SCMP_SYS(rt_sigaction), 242 },\n- { SCMP_SYS(pipe2), 242 },\n- { SCMP_SYS(munmap), 242 },\n- { SCMP_SYS(mremap), 242 },\n- { SCMP_SYS(fdatasync), 242 },\n- { SCMP_SYS(close), 242 },\n- { SCMP_SYS(rt_sigpending), 242 },\n- { SCMP_SYS(rt_sigtimedwait), 242 },\n- { SCMP_SYS(readv), 242 },\n- { SCMP_SYS(writev), 242 },\n- { SCMP_SYS(preadv), 242 },\n- { SCMP_SYS(pwritev), 242 },\n- { SCMP_SYS(setrlimit), 242 },\n- { SCMP_SYS(ftruncate), 242 },\n- { SCMP_SYS(lstat), 242 },\n- { SCMP_SYS(pipe), 242 },\n- { SCMP_SYS(umask), 242 },\n- { SCMP_SYS(chdir), 242 },\n- { SCMP_SYS(setitimer), 242 },\n- { SCMP_SYS(setsid), 242 },\n- { SCMP_SYS(poll), 242 },\n- { SCMP_SYS(epoll_create), 242 },\n- { SCMP_SYS(epoll_ctl), 242 },\n- { SCMP_SYS(epoll_wait), 242 },\n- { SCMP_SYS(waitpid), 242 },\n- { SCMP_SYS(getsockname), 242 },\n- { SCMP_SYS(getpeername), 242 },\n- { SCMP_SYS(accept4), 242 },\n- { SCMP_SYS(timerfd_settime), 242 },\n- { SCMP_SYS(newfstatat), 241 },\n- { SCMP_SYS(shutdown), 241 },\n- { SCMP_SYS(getsockopt), 241 },\n- { SCMP_SYS(semop), 241 },\n- { SCMP_SYS(semtimedop), 241 },\n- { SCMP_SYS(epoll_ctl_old), 241 },\n- { SCMP_SYS(epoll_wait_old), 241 },\n- { SCMP_SYS(epoll_pwait), 241 },\n- { SCMP_SYS(epoll_create1), 241 },\n- { SCMP_SYS(ppoll), 241 },\n- { SCMP_SYS(creat), 241 },\n- { SCMP_SYS(link), 241 },\n- { SCMP_SYS(getpid), 241 },\n- { SCMP_SYS(getppid), 241 },\n- { SCMP_SYS(getpgrp), 241 },\n- { SCMP_SYS(getpgid), 241 },\n- { SCMP_SYS(getsid), 241 },\n- { SCMP_SYS(getdents64), 241 },\n- { SCMP_SYS(getresuid), 241 },\n- { SCMP_SYS(getresgid), 241 },\n- { SCMP_SYS(getgroups), 241 },\n- { SCMP_SYS(getresuid32), 241 },\n- { SCMP_SYS(getresgid32), 241 },\n- { SCMP_SYS(getgroups32), 241 },\n- { SCMP_SYS(signal), 241 },\n- { SCMP_SYS(sigaction), 241 },\n- { SCMP_SYS(sigsuspend), 241 },\n- { SCMP_SYS(sigpending), 241 },\n- { SCMP_SYS(truncate64), 241 },\n- { SCMP_SYS(ftruncate64), 241 },\n- { SCMP_SYS(fchown32), 241 },\n- { SCMP_SYS(chown32), 241 },\n- { SCMP_SYS(lchown32), 241 },\n- { SCMP_SYS(statfs64), 241 },\n- { SCMP_SYS(fstatfs64), 241 },\n- { SCMP_SYS(fstatat64), 241 },\n- { SCMP_SYS(lstat64), 241 },\n- { SCMP_SYS(sendfile64), 241 },\n- { SCMP_SYS(ugetrlimit), 241 },\n- { SCMP_SYS(alarm), 241 },\n- { SCMP_SYS(rt_sigsuspend), 241 },\n- { SCMP_SYS(rt_sigqueueinfo), 241 },\n- { SCMP_SYS(rt_tgsigqueueinfo), 241 },\n- { SCMP_SYS(sigaltstack), 241 },\n- { SCMP_SYS(signalfd4), 241 },\n- { SCMP_SYS(truncate), 241 },\n- { SCMP_SYS(fchown), 241 },\n- { SCMP_SYS(lchown), 241 },\n- { SCMP_SYS(fchownat), 241 },\n- { SCMP_SYS(fstatfs), 241 },\n- { SCMP_SYS(getitimer), 241 },\n- { SCMP_SYS(syncfs), 241 },\n- { SCMP_SYS(fsync), 241 },\n- { SCMP_SYS(fchdir), 241 },\n- { SCMP_SYS(msync), 241 },\n- { SCMP_SYS(sched_setparam), 241 },\n- { SCMP_SYS(sched_setscheduler), 241 },\n- { SCMP_SYS(sched_yield), 241 },\n- { SCMP_SYS(sched_rr_get_interval), 241 },\n- { SCMP_SYS(sched_setaffinity), 241 },\n- { SCMP_SYS(sched_getaffinity), 241 },\n- { SCMP_SYS(readahead), 241 },\n- { SCMP_SYS(timer_getoverrun), 241 },\n- { SCMP_SYS(unlinkat), 241 },\n- { SCMP_SYS(readlinkat), 241 },\n- { SCMP_SYS(faccessat), 241 },\n- { SCMP_SYS(get_robust_list), 241 },\n- { SCMP_SYS(splice), 241 },\n- { SCMP_SYS(vmsplice), 241 },\n- { SCMP_SYS(getcpu), 241 },\n- { SCMP_SYS(sendmmsg), 241 },\n- { SCMP_SYS(recvmmsg), 241 },\n- { SCMP_SYS(prlimit64), 241 },\n- { SCMP_SYS(waitid), 241 },\n- { SCMP_SYS(io_cancel), 241 },\n- { SCMP_SYS(io_setup), 241 },\n- { SCMP_SYS(io_destroy), 241 },\n- { SCMP_SYS(arch_prctl), 240 },\n- { SCMP_SYS(mkdir), 240 },\n- { SCMP_SYS(fchmod), 240 },\n- { SCMP_SYS(shmget), 240 },\n- { SCMP_SYS(shmat), 240 },\n- { SCMP_SYS(shmdt), 240 },\n- { SCMP_SYS(timerfd_create), 240 },\n- { SCMP_SYS(shmctl), 240 },\n- { SCMP_SYS(mlockall), 240 },\n- { SCMP_SYS(mlock), 240 },\n- { SCMP_SYS(munlock), 240 },\n- { SCMP_SYS(semctl), 240 },\n- { SCMP_SYS(fallocate), 240 },\n- { SCMP_SYS(fadvise64), 240 },\n- { SCMP_SYS(inotify_init1), 240 },\n- { SCMP_SYS(inotify_add_watch), 240 },\n- { SCMP_SYS(mbind), 240 },\n- { SCMP_SYS(memfd_create), 240 },\n-#ifdef HAVE_CACHEFLUSH\n- { SCMP_SYS(cacheflush), 240 },\n-#endif\n- { SCMP_SYS(sysinfo), 240 },\n+static const struct QemuSeccompSyscall blacklist[] = {\n+ /* default set of syscalls to blacklist */\n+ { SCMP_SYS(reboot), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(swapon), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(swapoff), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(syslog), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(mount), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(umount), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(kexec_load), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(afs_syscall), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(break), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(ftime), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(getpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(gtty), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(lock), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(mpx), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(prof), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(profil), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(putpmsg), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(security), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(stty), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(tuxcall), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(ulimit), 1, QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(vserver), 1, QEMU_SECCOMP_SET_DEFAULT },\n };\n \n int seccomp_start(void)\n@@ -262,19 +64,19 @@ int seccomp_start(void)\n unsigned int i = 0;\n scmp_filter_ctx ctx;\n \n- ctx = seccomp_init(SCMP_ACT_KILL);\n+ ctx = seccomp_init(SCMP_ACT_ALLOW);\n if (ctx == NULL) {\n rc = -1;\n goto seccomp_return;\n }\n \n- for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {\n- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);\n- if (rc < 0) {\n- goto seccomp_return;\n+ for (i = 0; i < ARRAY_SIZE(blacklist); i++) {\n+ switch (blacklist[i].set) {\n+ default:\n+ goto add_syscall;\n }\n- rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,\n- seccomp_whitelist[i].priority);\n+add_syscall:\n+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);\n if (rc < 0) {\n goto seccomp_return;\n }\ndiff --git a/vl.c b/vl.c\nindex 8e247cc2a2..305531aba8 100644\n--- a/vl.c\n+++ b/vl.c\n@@ -1030,7 +1030,6 @@ static int bt_parse(const char *opt)\n \n static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n {\n- /* FIXME: change this to true for 1.3 */\n if (qemu_opt_get_bool(opts, \"enable\", false)) {\n #ifdef CONFIG_SECCOMP\n if (seccomp_start() < 0) {\n", "prefixes": [ "PATCHv4", "1/6" ] }