Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/811545/?format=api
{ "id": 811545, "url": "http://patchwork.ozlabs.org/api/patches/811545/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170908114407.25906-2-otubo@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170908114407.25906-2-otubo@redhat.com>", "list_archive_url": null, "date": "2017-09-08T11:44:03", "name": "[PATCHv6,1/5] seccomp: changing from whitelist to blacklist", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "bdaa020d0eb305dd6c9fd37cff598b5b093abe51", "submitter": { "id": 71779, "url": "http://patchwork.ozlabs.org/api/people/71779/?format=api", "name": "Eduardo Otubo", "email": "otubo@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20170908114407.25906-2-otubo@redhat.com/mbox/", "series": [ { "id": 2186, "url": "http://patchwork.ozlabs.org/api/series/2186/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=2186", "date": "2017-09-08T11:44:02", "name": "seccomp: feature refactoring", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/2186/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/811545/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/811545/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)", "ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com", "ext-mx07.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=otubo@redhat.com" ], "Received": [ "from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xpb9R1qRcz9s83\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 8 Sep 2017 21:45:31 +1000 (AEST)", "from localhost ([::1]:44849 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dqHiz-0001V0-92\n\tfor incoming@patchwork.ozlabs.org; Fri, 08 Sep 2017 07:45:29 -0400", "from eggs.gnu.org ([2001:4830:134:3::10]:59293)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dqHiJ-0001Ra-6c\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:44:48 -0400", "from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <otubo@redhat.com>) id 1dqHiH-0006i6-GX\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:44:47 -0400", "from mx1.redhat.com ([209.132.183.28]:39018)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <otubo@redhat.com>) id 1dqHiH-0006hD-7Y\n\tfor qemu-devel@nongnu.org; Fri, 08 Sep 2017 07:44:45 -0400", "from smtp.corp.redhat.com\n\t(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 44F2BC04B333\n\tfor <qemu-devel@nongnu.org>; Fri, 8 Sep 2017 11:44:44 +0000 (UTC)", "from vader.redhat.com (ovpn-117-226.ams2.redhat.com\n\t[10.36.117.226])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id C92F153CC7;\n\tFri, 8 Sep 2017 11:44:41 +0000 (UTC)" ], "DMARC-Filter": "OpenDMARC Filter v1.3.2 mx1.redhat.com 44F2BC04B333", "From": "Eduardo Otubo <otubo@redhat.com>", "To": "qemu-devel@nongnu.org", "Date": "Fri, 8 Sep 2017 13:44:03 +0200", "Message-Id": "<20170908114407.25906-2-otubo@redhat.com>", "In-Reply-To": "<20170908114407.25906-1-otubo@redhat.com>", "References": "<20170908114407.25906-1-otubo@redhat.com>", "X-Scanned-By": "MIMEDefang 2.79 on 10.5.11.13", "X-Greylist": "Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.31]);\n\tFri, 08 Sep 2017 11:44:44 +0000 (UTC)", "X-detected-operating-system": "by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]", "X-Received-From": "209.132.183.28", "Subject": "[Qemu-devel] [PATCHv6 1/5] seccomp: changing from whitelist to\n\tblacklist", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.21", "Precedence": "list", "List-Id": "<qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<http://lists.nongnu.org/archive/html/qemu-devel/>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Cc": "thuth@redhat.com", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>" }, "content": "This patch changes the default behavior of the seccomp filter from\nwhitelist to blacklist. By default now all system calls are allowed and\na small black list of definitely forbidden ones was created.\n\nSigned-off-by: Eduardo Otubo <otubo@redhat.com>\n---\n include/sysemu/seccomp.h | 2 +\n qemu-seccomp.c | 260 +++++------------------------------------------\n vl.c | 1 -\n 3 files changed, 30 insertions(+), 233 deletions(-)", "diff": "diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h\nindex cfc06008cb..23b9c3c789 100644\n--- a/include/sysemu/seccomp.h\n+++ b/include/sysemu/seccomp.h\n@@ -15,6 +15,8 @@\n #ifndef QEMU_SECCOMP_H\n #define QEMU_SECCOMP_H\n \n+#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)\n+\n #include <seccomp.h>\n \n int seccomp_start(void);\ndiff --git a/qemu-seccomp.c b/qemu-seccomp.c\nindex df75d9c471..f66613fc71 100644\n--- a/qemu-seccomp.c\n+++ b/qemu-seccomp.c\n@@ -28,232 +28,33 @@\n \n struct QemuSeccompSyscall {\n int32_t num;\n- uint8_t priority;\n+ uint8_t set;\n };\n \n-static const struct QemuSeccompSyscall seccomp_whitelist[] = {\n- { SCMP_SYS(timer_settime), 255 },\n- { SCMP_SYS(timer_gettime), 254 },\n- { SCMP_SYS(futex), 253 },\n- { SCMP_SYS(select), 252 },\n- { SCMP_SYS(recvfrom), 251 },\n- { SCMP_SYS(sendto), 250 },\n- { SCMP_SYS(socketcall), 250 },\n- { SCMP_SYS(read), 249 },\n- { SCMP_SYS(io_submit), 249 },\n- { SCMP_SYS(brk), 248 },\n- { SCMP_SYS(clone), 247 },\n- { SCMP_SYS(mmap), 247 },\n- { SCMP_SYS(mprotect), 246 },\n- { SCMP_SYS(execve), 245 },\n- { SCMP_SYS(open), 245 },\n- { SCMP_SYS(ioctl), 245 },\n- { SCMP_SYS(socket), 245 },\n- { SCMP_SYS(setsockopt), 245 },\n- { SCMP_SYS(recvmsg), 245 },\n- { SCMP_SYS(sendmsg), 245 },\n- { SCMP_SYS(accept), 245 },\n- { SCMP_SYS(connect), 245 },\n- { SCMP_SYS(socketpair), 245 },\n- { SCMP_SYS(bind), 245 },\n- { SCMP_SYS(listen), 245 },\n- { SCMP_SYS(semget), 245 },\n- { SCMP_SYS(ipc), 245 },\n- { SCMP_SYS(gettimeofday), 245 },\n- { SCMP_SYS(readlink), 245 },\n- { SCMP_SYS(access), 245 },\n- { SCMP_SYS(prctl), 245 },\n- { SCMP_SYS(signalfd), 245 },\n- { SCMP_SYS(getrlimit), 245 },\n- { SCMP_SYS(getrusage), 245 },\n- { SCMP_SYS(set_tid_address), 245 },\n- { SCMP_SYS(statfs), 245 },\n- { SCMP_SYS(unlink), 245 },\n- { SCMP_SYS(wait4), 245 },\n- { SCMP_SYS(fcntl64), 245 },\n- { SCMP_SYS(fstat64), 245 },\n- { SCMP_SYS(stat64), 245 },\n- { SCMP_SYS(getgid32), 245 },\n- { SCMP_SYS(getegid32), 245 },\n- { SCMP_SYS(getuid32), 245 },\n- { SCMP_SYS(geteuid32), 245 },\n- { SCMP_SYS(sigreturn), 245 },\n- { SCMP_SYS(_newselect), 245 },\n- { SCMP_SYS(_llseek), 245 },\n- { SCMP_SYS(mmap2), 245 },\n- { SCMP_SYS(sigprocmask), 245 },\n- { SCMP_SYS(sched_getparam), 245 },\n- { SCMP_SYS(sched_getscheduler), 245 },\n- { SCMP_SYS(fstat), 245 },\n- { SCMP_SYS(clock_getres), 245 },\n- { SCMP_SYS(sched_get_priority_min), 245 },\n- { SCMP_SYS(sched_get_priority_max), 245 },\n- { SCMP_SYS(stat), 245 },\n- { SCMP_SYS(uname), 245 },\n- { SCMP_SYS(eventfd2), 245 },\n- { SCMP_SYS(io_getevents), 245 },\n- { SCMP_SYS(dup), 245 },\n- { SCMP_SYS(dup2), 245 },\n- { SCMP_SYS(dup3), 245 },\n- { SCMP_SYS(gettid), 245 },\n- { SCMP_SYS(getgid), 245 },\n- { SCMP_SYS(getegid), 245 },\n- { SCMP_SYS(getuid), 245 },\n- { SCMP_SYS(geteuid), 245 },\n- { SCMP_SYS(timer_create), 245 },\n- { SCMP_SYS(times), 245 },\n- { SCMP_SYS(exit), 245 },\n- { SCMP_SYS(clock_gettime), 245 },\n- { SCMP_SYS(time), 245 },\n- { SCMP_SYS(restart_syscall), 245 },\n- { SCMP_SYS(pwrite64), 245 },\n- { SCMP_SYS(nanosleep), 245 },\n- { SCMP_SYS(chown), 245 },\n- { SCMP_SYS(openat), 245 },\n- { SCMP_SYS(getdents), 245 },\n- { SCMP_SYS(timer_delete), 245 },\n- { SCMP_SYS(exit_group), 245 },\n- { SCMP_SYS(rt_sigreturn), 245 },\n- { SCMP_SYS(sync), 245 },\n- { SCMP_SYS(pread64), 245 },\n- { SCMP_SYS(madvise), 245 },\n- { SCMP_SYS(set_robust_list), 245 },\n- { SCMP_SYS(lseek), 245 },\n- { SCMP_SYS(pselect6), 245 },\n- { SCMP_SYS(fork), 245 },\n- { SCMP_SYS(rt_sigprocmask), 245 },\n- { SCMP_SYS(write), 244 },\n- { SCMP_SYS(fcntl), 243 },\n- { SCMP_SYS(tgkill), 242 },\n- { SCMP_SYS(kill), 242 },\n- { SCMP_SYS(rt_sigaction), 242 },\n- { SCMP_SYS(pipe2), 242 },\n- { SCMP_SYS(munmap), 242 },\n- { SCMP_SYS(mremap), 242 },\n- { SCMP_SYS(fdatasync), 242 },\n- { SCMP_SYS(close), 242 },\n- { SCMP_SYS(rt_sigpending), 242 },\n- { SCMP_SYS(rt_sigtimedwait), 242 },\n- { SCMP_SYS(readv), 242 },\n- { SCMP_SYS(writev), 242 },\n- { SCMP_SYS(preadv), 242 },\n- { SCMP_SYS(pwritev), 242 },\n- { SCMP_SYS(setrlimit), 242 },\n- { SCMP_SYS(ftruncate), 242 },\n- { SCMP_SYS(lstat), 242 },\n- { SCMP_SYS(pipe), 242 },\n- { SCMP_SYS(umask), 242 },\n- { SCMP_SYS(chdir), 242 },\n- { SCMP_SYS(setitimer), 242 },\n- { SCMP_SYS(setsid), 242 },\n- { SCMP_SYS(poll), 242 },\n- { SCMP_SYS(epoll_create), 242 },\n- { SCMP_SYS(epoll_ctl), 242 },\n- { SCMP_SYS(epoll_wait), 242 },\n- { SCMP_SYS(waitpid), 242 },\n- { SCMP_SYS(getsockname), 242 },\n- { SCMP_SYS(getpeername), 242 },\n- { SCMP_SYS(accept4), 242 },\n- { SCMP_SYS(timerfd_settime), 242 },\n- { SCMP_SYS(newfstatat), 241 },\n- { SCMP_SYS(shutdown), 241 },\n- { SCMP_SYS(getsockopt), 241 },\n- { SCMP_SYS(semop), 241 },\n- { SCMP_SYS(semtimedop), 241 },\n- { SCMP_SYS(epoll_ctl_old), 241 },\n- { SCMP_SYS(epoll_wait_old), 241 },\n- { SCMP_SYS(epoll_pwait), 241 },\n- { SCMP_SYS(epoll_create1), 241 },\n- { SCMP_SYS(ppoll), 241 },\n- { SCMP_SYS(creat), 241 },\n- { SCMP_SYS(link), 241 },\n- { SCMP_SYS(getpid), 241 },\n- { SCMP_SYS(getppid), 241 },\n- { SCMP_SYS(getpgrp), 241 },\n- { SCMP_SYS(getpgid), 241 },\n- { SCMP_SYS(getsid), 241 },\n- { SCMP_SYS(getdents64), 241 },\n- { SCMP_SYS(getresuid), 241 },\n- { SCMP_SYS(getresgid), 241 },\n- { SCMP_SYS(getgroups), 241 },\n- { SCMP_SYS(getresuid32), 241 },\n- { SCMP_SYS(getresgid32), 241 },\n- { SCMP_SYS(getgroups32), 241 },\n- { SCMP_SYS(signal), 241 },\n- { SCMP_SYS(sigaction), 241 },\n- { SCMP_SYS(sigsuspend), 241 },\n- { SCMP_SYS(sigpending), 241 },\n- { SCMP_SYS(truncate64), 241 },\n- { SCMP_SYS(ftruncate64), 241 },\n- { SCMP_SYS(fchown32), 241 },\n- { SCMP_SYS(chown32), 241 },\n- { SCMP_SYS(lchown32), 241 },\n- { SCMP_SYS(statfs64), 241 },\n- { SCMP_SYS(fstatfs64), 241 },\n- { SCMP_SYS(fstatat64), 241 },\n- { SCMP_SYS(lstat64), 241 },\n- { SCMP_SYS(sendfile64), 241 },\n- { SCMP_SYS(ugetrlimit), 241 },\n- { SCMP_SYS(alarm), 241 },\n- { SCMP_SYS(rt_sigsuspend), 241 },\n- { SCMP_SYS(rt_sigqueueinfo), 241 },\n- { SCMP_SYS(rt_tgsigqueueinfo), 241 },\n- { SCMP_SYS(sigaltstack), 241 },\n- { SCMP_SYS(signalfd4), 241 },\n- { SCMP_SYS(truncate), 241 },\n- { SCMP_SYS(fchown), 241 },\n- { SCMP_SYS(lchown), 241 },\n- { SCMP_SYS(fchownat), 241 },\n- { SCMP_SYS(fstatfs), 241 },\n- { SCMP_SYS(getitimer), 241 },\n- { SCMP_SYS(syncfs), 241 },\n- { SCMP_SYS(fsync), 241 },\n- { SCMP_SYS(fchdir), 241 },\n- { SCMP_SYS(msync), 241 },\n- { SCMP_SYS(sched_setparam), 241 },\n- { SCMP_SYS(sched_setscheduler), 241 },\n- { SCMP_SYS(sched_yield), 241 },\n- { SCMP_SYS(sched_rr_get_interval), 241 },\n- { SCMP_SYS(sched_setaffinity), 241 },\n- { SCMP_SYS(sched_getaffinity), 241 },\n- { SCMP_SYS(readahead), 241 },\n- { SCMP_SYS(timer_getoverrun), 241 },\n- { SCMP_SYS(unlinkat), 241 },\n- { SCMP_SYS(readlinkat), 241 },\n- { SCMP_SYS(faccessat), 241 },\n- { SCMP_SYS(get_robust_list), 241 },\n- { SCMP_SYS(splice), 241 },\n- { SCMP_SYS(vmsplice), 241 },\n- { SCMP_SYS(getcpu), 241 },\n- { SCMP_SYS(sendmmsg), 241 },\n- { SCMP_SYS(recvmmsg), 241 },\n- { SCMP_SYS(prlimit64), 241 },\n- { SCMP_SYS(waitid), 241 },\n- { SCMP_SYS(io_cancel), 241 },\n- { SCMP_SYS(io_setup), 241 },\n- { SCMP_SYS(io_destroy), 241 },\n- { SCMP_SYS(arch_prctl), 240 },\n- { SCMP_SYS(mkdir), 240 },\n- { SCMP_SYS(fchmod), 240 },\n- { SCMP_SYS(shmget), 240 },\n- { SCMP_SYS(shmat), 240 },\n- { SCMP_SYS(shmdt), 240 },\n- { SCMP_SYS(timerfd_create), 240 },\n- { SCMP_SYS(shmctl), 240 },\n- { SCMP_SYS(mlockall), 240 },\n- { SCMP_SYS(mlock), 240 },\n- { SCMP_SYS(munlock), 240 },\n- { SCMP_SYS(semctl), 240 },\n- { SCMP_SYS(fallocate), 240 },\n- { SCMP_SYS(fadvise64), 240 },\n- { SCMP_SYS(inotify_init1), 240 },\n- { SCMP_SYS(inotify_add_watch), 240 },\n- { SCMP_SYS(mbind), 240 },\n- { SCMP_SYS(memfd_create), 240 },\n-#ifdef HAVE_CACHEFLUSH\n- { SCMP_SYS(cacheflush), 240 },\n-#endif\n- { SCMP_SYS(sysinfo), 240 },\n+static const struct QemuSeccompSyscall blacklist[] = {\n+ /* default set of syscalls to blacklist */\n+ { SCMP_SYS(reboot), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(swapon), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(swapoff), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(syslog), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(mount), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(umount), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(kexec_load), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(afs_syscall), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(break), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(ftime), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(getpmsg), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(gtty), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(lock), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(mpx), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(prof), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(profil), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(putpmsg), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(security), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(stty), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(tuxcall), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(ulimit), QEMU_SECCOMP_SET_DEFAULT },\n+ { SCMP_SYS(vserver), QEMU_SECCOMP_SET_DEFAULT },\n };\n \n int seccomp_start(void)\n@@ -262,19 +63,14 @@ int seccomp_start(void)\n unsigned int i = 0;\n scmp_filter_ctx ctx;\n \n- ctx = seccomp_init(SCMP_ACT_KILL);\n+ ctx = seccomp_init(SCMP_ACT_ALLOW);\n if (ctx == NULL) {\n rc = -1;\n goto seccomp_return;\n }\n \n- for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {\n- rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);\n- if (rc < 0) {\n- goto seccomp_return;\n- }\n- rc = seccomp_syscall_priority(ctx, seccomp_whitelist[i].num,\n- seccomp_whitelist[i].priority);\n+ for (i = 0; i < ARRAY_SIZE(blacklist); i++) {\n+ rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, blacklist[i].num, 0);\n if (rc < 0) {\n goto seccomp_return;\n }\ndiff --git a/vl.c b/vl.c\nindex fb1f05b937..76e0b3a946 100644\n--- a/vl.c\n+++ b/vl.c\n@@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt)\n \n static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)\n {\n- /* FIXME: change this to true for 1.3 */\n if (qemu_opt_get_bool(opts, \"enable\", false)) {\n #ifdef CONFIG_SECCOMP\n if (seccomp_start() < 0) {\n", "prefixes": [ "PATCHv6", "1/5" ] }