From patchwork Tue Oct 23 05:55:30 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eduardo Otubo <otubo@linux.vnet.ibm.com>
X-Patchwork-Id: 193359
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 6E7762C00A6
	for <incoming@patchwork.ozlabs.org>;
	Tue, 23 Oct 2012 16:56:18 +1100 (EST)
Received: from localhost ([::1]:36600 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1TQXTM-0006A0-K6
	for incoming@patchwork.ozlabs.org; Tue, 23 Oct 2012 01:56:16 -0400
Received: from eggs.gnu.org ([208.118.235.92]:58979)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1TQXT3-0005uW-5j
	for qemu-devel@nongnu.org; Tue, 23 Oct 2012 01:55:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1TQXT1-0002gU-Mg
	for qemu-devel@nongnu.org; Tue, 23 Oct 2012 01:55:57 -0400
Received: from e24smtp01.br.ibm.com ([32.104.18.85]:47449)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <otubo@linux.vnet.ibm.com>) id 1TQXT1-0002gB-Bm
	for qemu-devel@nongnu.org; Tue, 23 Oct 2012 01:55:55 -0400
Received: from /spool/local
	by e24smtp01.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <otubo@linux.vnet.ibm.com>;
	Tue, 23 Oct 2012 03:55:54 -0200
Received: from d24dlp02.br.ibm.com (9.18.248.206)
	by e24smtp01.br.ibm.com (10.172.0.143) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	Tue, 23 Oct 2012 03:55:47 -0200
Received: from d24relay02.br.ibm.com (d24relay02.br.ibm.com [9.13.184.26])
	by d24dlp02.br.ibm.com (Postfix) with ESMTP id 85D6F1DC001C
	for <qemu-devel@nongnu.org>; Tue, 23 Oct 2012 01:55:46 -0400 (EDT)
Received: from d24av02.br.ibm.com (d24av02.br.ibm.com [9.8.31.93])
	by d24relay02.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q9N5tjel40173778
	for <qemu-devel@nongnu.org>; Tue, 23 Oct 2012 03:55:45 -0200
Received: from d24av02.br.ibm.com (loopback [127.0.0.1])
	by d24av02.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q9N5tjeu028132
	for <qemu-devel@nongnu.org>; Tue, 23 Oct 2012 03:55:46 -0200
Received: from vader.ibm.com.com ([9.8.12.31])
	by d24av02.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id
	q9N5tjpF028094; Tue, 23 Oct 2012 03:55:45 -0200
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Tue, 23 Oct 2012 03:55:30 -0200
Message-Id: <1350971732-16621-2-git-send-email-otubo@linux.vnet.ibm.com>
X-Mailer: git-send-email 1.7.12
In-Reply-To: <1350971732-16621-1-git-send-email-otubo@linux.vnet.ibm.com>
References: <1350971732-16621-1-git-send-email-otubo@linux.vnet.ibm.com>
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 12102305-1524-0000-0000-00000422FCB1
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 32.104.18.85
Cc: pmoore@redhat.com, aliguori@us.ibm.com, coreyb@linux.vnet.ibm.com,
	Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCHv2 2/4] Setting "-sandbox on" as deafult
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Now the seccomp filter will be set to "on" even if no argument
"-sandbox" is given.

v2: nothing new

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 configure |  2 +-
 vl.c      | 38 +++++++++++++++++++++++++++-----------
 2 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/configure b/configure
index 353d788..c613a51 100755
--- a/configure
+++ b/configure
@@ -220,7 +220,7 @@ guest_agent="yes"
 want_tools="yes"
 libiscsi=""
 coroutine=""
-seccomp=""
+seccomp="yes"
 glusterfs=""
 
 # parse CC options first
diff --git a/vl.c b/vl.c
index 5b357a3..bec68cd 100644
--- a/vl.c
+++ b/vl.c
@@ -276,6 +276,10 @@ static int default_cdrom = 1;
 static int default_sdcard = 1;
 static int default_vga = 1;
 
+#ifdef CONFIG_SECCOMP
+bool seccomp_on = true;
+#endif
+
 static struct {
     const char *driver;
     int *flag;
@@ -770,23 +774,28 @@ static int bt_parse(const char *opt)
     return 1;
 }
 
-static int parse_sandbox(QemuOpts *opts, void *opaque)
+static int install_seccomp_filters(void)
 {
-    /* FIXME: change this to true for 1.3 */
-    if (qemu_opt_get_bool(opts, "enable", false)) {
 #ifdef CONFIG_SECCOMP
-        if (seccomp_start() < 0) {
-            qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                          "failed to install seccomp syscall filter in the kernel");
-            return -1;
-        }
-#else
+    if (seccomp_start() < 0) {
         qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                      "sandboxing request but seccomp is not compiled into this build");
+                "failed to install seccomp syscall filter in the kernel");
         return -1;
-#endif
     }
+#else
+    qerror_report(ERROR_CLASS_GENERIC_ERROR,
+            "sandboxing requested but seccomp is not compiled into this build");
+    return -1;
+#endif
+    return 0;
+}
+
 
+static int parse_sandbox(QemuOpts *opts, void *opaque)
+{
+    if (!qemu_opt_get_bool(opts, "enable", true)) {
+        seccomp_on = false;
+    }
     return 0;
 }
 
@@ -3320,6 +3329,13 @@ int main(int argc, char **argv, char **envp)
         exit(1);
     }
 
+    /* We should install seccomp filters even if -sandbox on is not used. */
+    if (seccomp_on) {
+        if (install_seccomp_filters() < 0) {
+            exit(1);
+        }
+    }
+
     if (machine == NULL) {
         fprintf(stderr, "No machine found.\n");
         exit(1);