GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/808631/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 808631,
    "url": "http://patchwork.ozlabs.org/api/patches/808631/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-6-otubo@redhat.com/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20170901105818.31956-6-otubo@redhat.com>",
    "list_archive_url": null,
    "date": "2017-09-01T10:58:17",
    "name": "[PATCHv4,5/6] seccomp: add resourcecontrol argument to command line",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "b34065a4d3b7c70d6fe12e654453aedf3dc60365",
    "submitter": {
        "id": 71779,
        "url": "http://patchwork.ozlabs.org/api/people/71779/?format=api",
        "name": "Eduardo Otubo",
        "email": "otubo@redhat.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170901105818.31956-6-otubo@redhat.com/mbox/",
    "series": [
        {
            "id": 999,
            "url": "http://patchwork.ozlabs.org/api/series/999/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=999",
            "date": "2017-09-01T10:58:12",
            "name": "seccomp: feature refactoring",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/999/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/808631/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/808631/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org",
        "Authentication-Results": [
            "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)",
            "ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com",
            "ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com"
        ],
        "Received": [
            "from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xkGZ15lb3z9s7p\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri,  1 Sep 2017 21:03:21 +1000 (AEST)",
            "from localhost ([::1]:35201 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dnjjL-0003YO-Pd\n\tfor incoming@patchwork.ozlabs.org; Fri, 01 Sep 2017 07:03:19 -0400",
            "from eggs.gnu.org ([2001:4830:134:3::10]:51348)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjfD-0000MN-0i\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:59:04 -0400",
            "from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dnjf8-0001QV-6X\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:59:03 -0400",
            "from mx1.redhat.com ([209.132.183.28]:4049)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <otubo@redhat.com>) id 1dnjf7-0001PX-UC\n\tfor qemu-devel@nongnu.org; Fri, 01 Sep 2017 06:58:58 -0400",
            "from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id E72ACC0467D7\n\tfor <qemu-devel@nongnu.org>; Fri,  1 Sep 2017 10:58:56 +0000 (UTC)",
            "from vader.redhat.com (ovpn-117-156.ams2.redhat.com\n\t[10.36.117.156])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 8A8D97E5D2;\n\tFri,  1 Sep 2017 10:58:52 +0000 (UTC)"
        ],
        "DMARC-Filter": "OpenDMARC Filter v1.3.2 mx1.redhat.com E72ACC0467D7",
        "From": "Eduardo Otubo <otubo@redhat.com>",
        "To": "qemu-devel@nongnu.org",
        "Date": "Fri,  1 Sep 2017 12:58:17 +0200",
        "Message-Id": "<20170901105818.31956-6-otubo@redhat.com>",
        "In-Reply-To": "<20170901105818.31956-1-otubo@redhat.com>",
        "References": "<20170901105818.31956-1-otubo@redhat.com>",
        "X-Scanned-By": "MIMEDefang 2.79 on 10.5.11.12",
        "X-Greylist": "Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.31]);\n\tFri, 01 Sep 2017 10:58:57 +0000 (UTC)",
        "X-detected-operating-system": "by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]",
        "X-Received-From": "209.132.183.28",
        "Subject": "[Qemu-devel] [PATCHv4 5/6] seccomp: add resourcecontrol argument to\n\tcommand line",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.21",
        "Precedence": "list",
        "List-Id": "<qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<http://lists.nongnu.org/archive/html/qemu-devel/>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Cc": "thuth@redhat.com",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>"
    },
    "content": "This patch adds [,resourcecontrol=deny] to `-sandbox on' option. It\nblacklists all process affinity and scheduler priority system calls to\navoid any bigger of the process.\n\nSigned-off-by: Eduardo Otubo <otubo@redhat.com>\n---\n include/sysemu/seccomp.h |  1 +\n qemu-options.hx          |  9 ++++++---\n qemu-seccomp.c           | 19 +++++++++++++++++++\n vl.c                     | 16 ++++++++++++++++\n 4 files changed, 42 insertions(+), 3 deletions(-)",
    "diff": "diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\nindex 3ab5fc4f61..e67c2dc840 100644\n--- a/include/sysemu/seccomp.h\n+++ b/include/sysemu/seccomp.h\n@@ -19,6 +19,7 @@\n #define QEMU_SECCOMP_SET_OBSOLETE    (1 << 1)\n #define QEMU_SECCOMP_SET_PRIVILEGED  (1 << 2)\n #define QEMU_SECCOMP_SET_SPAWN       (1 << 3)\n+#define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4)\n \n #include <seccomp.h>\n \ndiff --git a/qemu-options.hx b/qemu-options.hx\nindex 2b04b9f170..600614f6e5 100644\n--- a/qemu-options.hx\n+++ b/qemu-options.hx\n@@ -4018,7 +4018,7 @@ ETEXI\n \n DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n     \"-sandbox on[,obsolete=allow|deny][,elevateprivileges=allow|deny|children]\\n\" \\\n-    \"          [,spawn=allow|deny]\\n\" \\\n+    \"          [,spawn=allow|deny][,resourcecontrol=allow|deny]\\n\" \\\n     \"                Enable seccomp mode 2 system call filter (default 'off').\\n\" \\\n     \"                use 'obsolete' to allow obsolete system calls that are provided\\n\" \\\n     \"                    by the kernel, but typically no longer used by modern\\n\" \\\n@@ -4028,10 +4028,11 @@ DEF(\"sandbox\", HAS_ARG, QEMU_OPTION_sandbox, \\\n     \"                    The value 'children' will deny set*uid|gid system calls for\\n\" \\\n     \"                    main QEMU process but will allow forks and execves to run unprivileged\\n\" \\\n     \"                use 'spawn' to avoid QEMU to spawn new threads or processes by\\n\" \\\n-    \"                     blacklisting *fork and execve\\n\",\n+    \"                     blacklisting *fork and execve\\n\" \\\n+    \"                use 'resourcecontrol' to disable process affinity and schedular priority\\n\",\n     QEMU_ARCH_ALL)\n STEXI\n-@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}]\n+@item -sandbox @var{arg}[,obsolete=@var{string}][,elevateprivileges=@var{string}][,spawn=@var{string}][,resourcecontrol=@var{string}]\n @findex -sandbox\n Enable Seccomp mode 2 system call filter. 'on' will enable syscall filtering and 'off' will\n disable it.  The default is 'off'.\n@@ -4042,6 +4043,8 @@ Enable Obsolete system calls\n Disable set*uid|gid system calls\n @item spawn=@var{string}\n Disable *fork and execve\n+@item resourcecontrol=@var{string}\n+Disable process affinity and schedular priority\n @end table\n ETEXI\n \ndiff --git a/qemu-seccomp.c b/qemu-seccomp.c\nindex 51754ace71..ae787a4312 100644\n--- a/qemu-seccomp.c\n+++ b/qemu-seccomp.c\n@@ -71,6 +71,17 @@ static const struct QemuSeccompSyscall blacklist[] = {\n     { SCMP_SYS(fork),                  8, QEMU_SECCOMP_SET_SPAWN },\n     { SCMP_SYS(vfork),                 8, QEMU_SECCOMP_SET_SPAWN },\n     { SCMP_SYS(execve),                8, QEMU_SECCOMP_SET_SPAWN },\n+    /* resource control */\n+    { SCMP_SYS(getpriority),           16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(setpriority),           16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_setparam),        16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_getparam),        16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_setscheduler),    16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_getscheduler),    16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_setaffinity),     16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_getaffinity),     16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_get_priority_max),16, QEMU_SECCOMP_SET_RESOURCECTL },\n+    { SCMP_SYS(sched_get_priority_min),16, QEMU_SECCOMP_SET_RESOURCECTL },\n };\n \n \n@@ -112,6 +123,14 @@ int seccomp_start(uint32_t seccomp_opts)\n             }\n \n             break;\n+        case QEMU_SECCOMP_SET_RESOURCECTL:\n+            if (seccomp_opts & QEMU_SECCOMP_SET_RESOURCECTL) {\n+                goto add_syscall;\n+            } else {\n+                continue;\n+            }\n+\n+            break;\n         default:\n             goto add_syscall;\n         }\ndiff --git a/vl.c b/vl.c\nindex 8e6b252f8f..563e7206ac 100644\n--- a/vl.c\n+++ b/vl.c\n@@ -284,6 +284,10 @@ static QemuOptsList qemu_sandbox_opts = {\n             .name = \"spawn\",\n             .type = QEMU_OPT_STRING,\n         },\n+        {\n+            .name = \"resourcecontrol\",\n+            .type = QEMU_OPT_STRING,\n+        },\n         { /* end of list */ }\n     },\n };\n@@ -1095,6 +1099,18 @@ static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n             }\n         }\n \n+        value = qemu_opt_get(opts, \"resourcecontrol\");\n+        if (value) {\n+            if (strcmp(value, \"deny\") == 0) {\n+                seccomp_opts |= QEMU_SECCOMP_SET_RESOURCECTL;\n+            } else if (strcmp(value, \"allow\") == 0) {\n+                /* default value */\n+            } else {\n+\t\terror_report(\"invalid argument for resourcecontrol\");\n+\t\treturn -1;\n+\t    }\n+        }\n+\n         if (seccomp_start(seccomp_opts) < 0) {\n             error_report(\"failed to install seccomp syscall filter \"\n                          \"in the kernel\");\n",
    "prefixes": [
        "PATCHv4",
        "5/6"
    ]
}