From patchwork Wed Aug 1 19:54:52 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduardo Otubo X-Patchwork-Id: 174583 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id DCCD12C0090 for ; Thu, 2 Aug 2012 05:55:40 +1000 (EST) Received: from localhost ([::1]:43051 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Swf19-0001vq-0X for incoming@patchwork.ozlabs.org; Wed, 01 Aug 2012 15:55:39 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52312) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Swf0q-0001hC-FA for qemu-devel@nongnu.org; Wed, 01 Aug 2012 15:55:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Swf0o-0007d2-H3 for qemu-devel@nongnu.org; Wed, 01 Aug 2012 15:55:20 -0400 Received: from e24smtp01.br.ibm.com ([32.104.18.85]:39678) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Swf0o-0007XD-5K for qemu-devel@nongnu.org; Wed, 01 Aug 2012 15:55:18 -0400 Received: from /spool/local by e24smtp01.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 1 Aug 2012 16:55:05 -0300 Received: from d24dlp01.br.ibm.com (9.18.248.204) by e24smtp01.br.ibm.com (10.172.0.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 1 Aug 2012 16:55:03 -0300 Received: from d24relay01.br.ibm.com (d24relay01.br.ibm.com [9.8.31.16]) by d24dlp01.br.ibm.com (Postfix) with ESMTP id D2FB73520051 for ; Wed, 1 Aug 2012 15:54:59 -0400 (EDT) Received: from d24av05.br.ibm.com (d24av05.br.ibm.com [9.18.232.44]) by d24relay01.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q71JpKIr3018784 for ; Wed, 1 Aug 2012 16:51:20 -0300 Received: from d24av05.br.ibm.com (loopback [127.0.0.1]) by d24av05.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q71Jt15u001078 for ; Wed, 1 Aug 2012 16:55:02 -0300 Received: from oc1445727107.ibm.com (dhcp-9-18-235-253.br.ibm.com [9.18.235.253]) by d24av05.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q71Jt1aL001048; Wed, 1 Aug 2012 16:55:01 -0300 From: Eduardo Otubo To: qemu-devel@nongnu.org Date: Wed, 1 Aug 2012 16:54:52 -0300 Message-Id: X-Mailer: git-send-email 1.7.1 In-Reply-To: References: In-Reply-To: References: X-Content-Scanned: Fidelis XPS MAILER x-cbid: 12080119-1524-0000-0000-0000034957D7 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 32.104.18.85 Cc: blauwirbel@gmail.com, pmoore@redhat.com, anthony@codemonkey.ws, wad@chromium.org, Eduardo Otubo Subject: [Qemu-devel] [PATCHv5 1/4] Adding support for libseccomp in configure and Makefile X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Adding basic options to the configure script to use libseccomp or not. The default is set to 'no'. If the flag --enable-libseccomp is used, the script will check for its existence using pkg-config. v2: * As I removed all the code related to seccomp from vl.c, I created qemu-seccomp.[ch]. * Also making the configure script to add the specific line to Makefile.obj in order to compile with appropriate support to seccomp. v3: * Removing the line from Makefile.obj and adding it to Makefile.objs. * Marking libseccomp default option to 'yes' in the configure script. v4: * Now two new options added: --enable-seccomp-debug --disable-seccomp-debug Enabling debug will cause libseccomp to be configured with SCMP_ACT_TRAP. This will help users/developers to catch system calls that were not previously whitelisted. Signed-off-by: Eduardo Otubo --- Makefile.objs | 10 ++++++++++ configure | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 0 deletions(-) diff --git a/Makefile.objs b/Makefile.objs index 5ebbcfa..eb4efa3 100644 --- a/Makefile.objs +++ b/Makefile.objs @@ -96,6 +96,16 @@ common-obj-y += qemu-timer.o qemu-timer-common.o common-obj-$(CONFIG_SLIRP) += slirp/ ###################################################################### +# libseccomp +ifeq ($(CONFIG_SECCOMP),y) +common-obj-y += qemu-seccomp.o +endif + +ifeq ($(CONFIG_SECCOMP_DEBUG),y) +common-obj-y += qemu-seccomp-debug.o +endif + +###################################################################### # libuser user-obj-y = diff --git a/configure b/configure index 027a718..c12629b 100755 --- a/configure +++ b/configure @@ -195,6 +195,8 @@ zlib="yes" guest_agent="yes" libiscsi="" coroutine="" +seccomp="yes" +seccomp_debug="no" # parse CC options first for opt do @@ -824,6 +826,14 @@ for opt do ;; --disable-guest-agent) guest_agent="no" ;; + --enable-seccomp-debug) seccomp_debug="yes" + ;; + --disable-seccomp-debug) seccomp_debug="no" + ;; + --enable-seccomp) seccomp="yes" + ;; + --disable-seccomp) seccomp="no" + ;; *) echo "ERROR: unknown option $opt"; show_help="yes" ;; esac @@ -1110,6 +1120,10 @@ echo " --disable-usb-redir disable usb network redirection support" echo " --enable-usb-redir enable usb network redirection support" echo " --disable-guest-agent disable building of the QEMU Guest Agent" echo " --enable-guest-agent enable building of the QEMU Guest Agent" +echo " --disable-seccomp-debug disable seccomp debug support" +echo " --enable-seccomp-debug enables seccomp debug support" +echo " --disable-seccomp disable seccomp support" +echo " --enable-seccomp enables seccomp support" echo " --with-coroutine=BACKEND coroutine backend. Supported options:" echo " gthread, ucontext, sigaltstack, windows" echo "" @@ -1372,6 +1386,16 @@ EOF fi ########################################## +# libseccomp check + +if test "$seccomp" = "yes" ; then + if $pkg_config libseccomp --modversion >/dev/null 2>&1; then + LIBS=`$pkg_config --libs libseccomp` + else + feature_not_found "libseccomp" + fi +fi +########################################## # xen probe if test "$xen" != "no" ; then @@ -3103,6 +3127,8 @@ echo "usb net redir $usb_redir" echo "OpenGL support $opengl" echo "libiscsi support $libiscsi" echo "build guest agent $guest_agent" +echo "seccomp support $seccomp" +echo "seccomp debug $seccomp_debug" echo "coroutine backend $coroutine_backend" if test "$sdl_too_old" = "yes"; then @@ -3401,6 +3427,14 @@ if test "$libiscsi" = "yes" ; then echo "CONFIG_LIBISCSI=y" >> $config_host_mak fi +if test "$seccomp" = "yes"; then + echo "CONFIG_SECCOMP=y" >> $config_host_mak +fi + +if test "$seccomp_debug" = "yes"; then + echo "CONFIG_SECCOMP_DEBUG=y" >> $config_host_mak +fi + # XXX: suppress that if [ "$bsd" = "yes" ] ; then echo "CONFIG_BSD=y" >> $config_host_mak