Patchwork [2/4] Setting "-sandbox on" as deafult

login
register
mail settings
Submitter Eduardo Otubo
Date Oct. 17, 2012, 1:15 p.m.
Message ID <1350479712-15082-2-git-send-email-otubo@linux.vnet.ibm.com>
Download mbox | patch
Permalink /patch/192037/
State New
Headers show

Comments

Eduardo Otubo - Oct. 17, 2012, 1:15 p.m.
Now the seccomp filter will be set to "on" even if no argument
"-sandbox" is given.

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 configure |  2 +-
 vl.c      | 38 +++++++++++++++++++++++++++-----------
 2 files changed, 28 insertions(+), 12 deletions(-)
Corey Bryant - Oct. 18, 2012, 3:08 p.m.
I think it's worth nothing that Eduardo is planning to submit a separate 
patch providing (commented out?) code that will allow developers to 
easily determine the syscalls that need to be added to the whitelist. 
That is, if QEMU is being killed by seccomp due to disallowed syscall usage.

Patch

diff --git a/configure b/configure
index 353d788..c613a51 100755
--- a/configure
+++ b/configure
@@ -220,7 +220,7 @@  guest_agent="yes"
 want_tools="yes"
 libiscsi=""
 coroutine=""
-seccomp=""
+seccomp="yes"
 glusterfs=""
 
 # parse CC options first
diff --git a/vl.c b/vl.c
index 5b357a3..bec68cd 100644
--- a/vl.c
+++ b/vl.c
@@ -276,6 +276,10 @@  static int default_cdrom = 1;
 static int default_sdcard = 1;
 static int default_vga = 1;
 
+#ifdef CONFIG_SECCOMP
+bool seccomp_on = true;
+#endif
+
 static struct {
     const char *driver;
     int *flag;
@@ -770,23 +774,28 @@  static int bt_parse(const char *opt)
     return 1;
 }
 
-static int parse_sandbox(QemuOpts *opts, void *opaque)
+static int install_seccomp_filters(void)
 {
-    /* FIXME: change this to true for 1.3 */
-    if (qemu_opt_get_bool(opts, "enable", false)) {
 #ifdef CONFIG_SECCOMP
-        if (seccomp_start() < 0) {
-            qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                          "failed to install seccomp syscall filter in the kernel");
-            return -1;
-        }
-#else
+    if (seccomp_start() < 0) {
         qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                      "sandboxing request but seccomp is not compiled into this build");
+                "failed to install seccomp syscall filter in the kernel");
         return -1;
-#endif
     }
+#else
+    qerror_report(ERROR_CLASS_GENERIC_ERROR,
+            "sandboxing requested but seccomp is not compiled into this build");
+    return -1;
+#endif
+    return 0;
+}
+
 
+static int parse_sandbox(QemuOpts *opts, void *opaque)
+{
+    if (!qemu_opt_get_bool(opts, "enable", true)) {
+        seccomp_on = false;
+    }
     return 0;
 }
 
@@ -3320,6 +3329,13 @@  int main(int argc, char **argv, char **envp)
         exit(1);
     }
 
+    /* We should install seccomp filters even if -sandbox on is not used. */
+    if (seccomp_on) {
+        if (install_seccomp_filters() < 0) {
+            exit(1);
+        }
+    }
+
     if (machine == NULL) {
         fprintf(stderr, "No machine found.\n");
         exit(1);