@@ -220,7 +220,7 @@ guest_agent="yes"
want_tools="yes"
libiscsi=""
coroutine=""
-seccomp=""
+seccomp="yes"
glusterfs=""
# parse CC options first
@@ -276,6 +276,10 @@ static int default_cdrom = 1;
static int default_sdcard = 1;
static int default_vga = 1;
+#ifdef CONFIG_SECCOMP
+bool seccomp_on = true;
+#endif
+
static struct {
const char *driver;
int *flag;
@@ -770,23 +774,28 @@ static int bt_parse(const char *opt)
return 1;
}
-static int parse_sandbox(QemuOpts *opts, void *opaque)
+static int install_seccomp_filters(void)
{
- /* FIXME: change this to true for 1.3 */
- if (qemu_opt_get_bool(opts, "enable", false)) {
#ifdef CONFIG_SECCOMP
- if (seccomp_start() < 0) {
- qerror_report(ERROR_CLASS_GENERIC_ERROR,
- "failed to install seccomp syscall filter in the kernel");
- return -1;
- }
-#else
+ if (seccomp_start() < 0) {
qerror_report(ERROR_CLASS_GENERIC_ERROR,
- "sandboxing request but seccomp is not compiled into this build");
+ "failed to install seccomp syscall filter in the kernel");
return -1;
-#endif
}
+#else
+ qerror_report(ERROR_CLASS_GENERIC_ERROR,
+ "sandboxing requested but seccomp is not compiled into this build");
+ return -1;
+#endif
+ return 0;
+}
+
+static int parse_sandbox(QemuOpts *opts, void *opaque)
+{
+ if (!qemu_opt_get_bool(opts, "enable", true)) {
+ seccomp_on = false;
+ }
return 0;
}
@@ -3320,6 +3329,13 @@ int main(int argc, char **argv, char **envp)
exit(1);
}
+ /* We should install seccomp filters even if -sandbox on is not used. */
+ if (seccomp_on) {
+ if (install_seccomp_filters() < 0) {
+ exit(1);
+ }
+ }
+
if (machine == NULL) {
fprintf(stderr, "No machine found.\n");
exit(1);
Now the seccomp filter will be set to "on" even if no argument "-sandbox" is given. Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> --- configure | 2 +- vl.c | 38 +++++++++++++++++++++++++++----------- 2 files changed, 28 insertions(+), 12 deletions(-)