Patchwork [v7,4/4] Command line support for seccomp with -sandbox

login
register
mail settings
Submitter Eduardo Otubo
Date Aug. 14, 2012, 9:44 p.m.
Message ID <1344980648-18723-5-git-send-email-otubo@linux.vnet.ibm.com>
Download mbox | patch
Permalink /patch/177463/
State New
Headers show

Comments

Eduardo Otubo - Aug. 14, 2012, 9:44 p.m.
v7:
 * New in v7
 * The seccomp filter can be switched on and off using the command line
   option "-sandbox", the default value is off.

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 qemu-config.c   |   13 +++++++++++++
 qemu-config.h   |    1 +
 qemu-options.hx |   10 ++++++++++
 vl.c            |   17 +++++++++--------
 4 files changed, 33 insertions(+), 8 deletions(-)

Patch

diff --git a/qemu-config.c b/qemu-config.c
index 5c3296b..b1e2277 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -362,6 +362,18 @@  static QemuOptsList qemu_global_opts = {
     },
 };
 
+QemuOptsList qemu_sandbox_opts = {
+    .name = "sandbox",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_sandbox_opts.head),
+    .desc = {
+        {
+            .name = "sandbox",
+            .type = QEMU_OPT_BOOL,
+        },
+        { /* end of list */ }
+    },
+};
+
 static QemuOptsList qemu_mon_opts = {
     .name = "mon",
     .implied_opt_name = "chardev",
@@ -641,6 +653,7 @@  static QemuOptsList *vm_config_groups[32] = {
     &qemu_machine_opts,
     &qemu_boot_opts,
     &qemu_iscsi_opts,
+    &qemu_sandbox_opts,
     NULL,
 };
 
diff --git a/qemu-config.h b/qemu-config.h
index 12ddf3e..5557562 100644
--- a/qemu-config.h
+++ b/qemu-config.h
@@ -6,6 +6,7 @@ 
 extern QemuOptsList qemu_fsdev_opts;
 extern QemuOptsList qemu_virtfs_opts;
 extern QemuOptsList qemu_spice_opts;
+extern QemuOptsList qemu_sandbox_opts;
 
 QemuOptsList *qemu_find_opts(const char *group);
 QemuOptsList *qemu_find_opts_err(const char *group, Error **errp);
diff --git a/qemu-options.hx b/qemu-options.hx
index 47cb5bd..a26f640 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2720,6 +2720,16 @@  STEXI
 Old param mode (ARM only).
 ETEXI
 
+#ifdef CONFIG_SECCOMP
+DEF("sandbox", 0, QEMU_OPTION_sandbox, \
+    "-sandbox        Enable Seccomp mode 2 system call filter. Default value is disabled,\n", QEMU_ARCH_ALL)
+STEXI
+@item -sandbox
+@findex -sandbox
+Enable Seccomp mode 2 system call filter. Default value is disabled,
+ETEXI
+#endif
+
 DEF("readconfig", HAS_ARG, QEMU_OPTION_readconfig,
     "-readconfig <file>\n", QEMU_ARCH_ALL)
 STEXI
diff --git a/vl.c b/vl.c
index 2c62efc..775b6af 100644
--- a/vl.c
+++ b/vl.c
@@ -2304,14 +2304,6 @@  int main(int argc, char **argv, char **envp)
     const char *trace_events = NULL;
     const char *trace_file = NULL;
 
-#ifdef CONFIG_SECCOMP
-    if (seccomp_start() < 0) {
-        fprintf(stderr,
-                "seccomp: failed to install syscall filter in the kernel\n");
-        exit(1);
-    }
-#endif
-
     atexit(qemu_run_exit_notifiers);
     error_set_progname(argv[0]);
 
@@ -3215,6 +3207,15 @@  int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_qtest_log:
                 qtest_log = optarg;
                 break;
+#ifdef CONFIG_SECCOMP
+            case QEMU_OPTION_sandbox:
+                if (seccomp_start() < 0) {
+                    fprintf(stderr,
+                            "seccomp: failed to install syscall filter in the kernel\n");
+                    exit(1);
+                }
+                break;
+#endif
             default:
                 os_parse_cmd_args(popt->index, optarg);
             }