[2/4] Setting "-sandbox on" as deafult

Message ID	1350479712-15082-2-git-send-email-otubo@linux.vnet.ibm.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> Gateway: Authorized Use Only! Violators will be prosecuted for <qemu-devel@nongnu.org> from <otubo@linux.vnet.ibm.com>; Wed, 17 Oct 2012 10:15:52 -0300 Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 17 Oct 2012 10:15:47 -0300 From: Eduardo Otubo <otubo@linux.vnet.ibm.com> To: qemu-devel@nongnu.org Date: Wed, 17 Oct 2012 10:15:10 -0300 Message-Id: <1350479712-15082-2-git-send-email-otubo@linux.vnet.ibm.com> In-Reply-To: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com> References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com> Cc: pmoore@redhat.com, aliguori@us.ibm.com, coreyb@linux.vnet.ibm.com, Eduardo Otubo <otubo@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 2/4] Setting "-sandbox on" as deafult Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

1350479712-15082-2-git-send-email-otubo@linux.vnet.ibm.com

State

New

Headers

From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Wed, 17 Oct 2012 10:15:10 -0300
Message-Id: <1350479712-15082-2-git-send-email-otubo@linux.vnet.ibm.com>
In-Reply-To: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com>
References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com>
Cc: pmoore@redhat.com, aliguori@us.ibm.com, coreyb@linux.vnet.ibm.com,
	Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: [Qemu-devel] [PATCH 2/4] Setting "-sandbox on" as deafult
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Eduardo Otubo Oct. 17, 2012, 1:15 p.m. UTC

Now the seccomp filter will be set to "on" even if no argument
"-sandbox" is given.

Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
---
 configure |  2 +-
 vl.c      | 38 +++++++++++++++++++++++++++-----------
 2 files changed, 28 insertions(+), 12 deletions(-)

Comments

Corey Bryant Oct. 18, 2012, 3:08 p.m. UTC | #1

I think it's worth nothing that Eduardo is planning to submit a separate 
patch providing (commented out?) code that will allow developers to 
easily determine the syscalls that need to be added to the whitelist. 
That is, if QEMU is being killed by seccomp due to disallowed syscall usage.

diff --git a/configure b/configure
index 353d788..c613a51 100755
--- a/configure
+++ b/configure
@@ -220,7 +220,7 @@  guest_agent="yes"
 want_tools="yes"
 libiscsi=""
 coroutine=""
-seccomp=""
+seccomp="yes"
 glusterfs=""
 
 # parse CC options first
diff --git a/vl.c b/vl.c
index 5b357a3..bec68cd 100644
--- a/vl.c
+++ b/vl.c
@@ -276,6 +276,10 @@  static int default_cdrom = 1;
 static int default_sdcard = 1;
 static int default_vga = 1;
 
+#ifdef CONFIG_SECCOMP
+bool seccomp_on = true;
+#endif
+
 static struct {
     const char *driver;
     int *flag;
@@ -770,23 +774,28 @@  static int bt_parse(const char *opt)
     return 1;
 }
 
-static int parse_sandbox(QemuOpts *opts, void *opaque)
+static int install_seccomp_filters(void)
 {
-    /* FIXME: change this to true for 1.3 */
-    if (qemu_opt_get_bool(opts, "enable", false)) {
 #ifdef CONFIG_SECCOMP
-        if (seccomp_start() < 0) {
-            qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                          "failed to install seccomp syscall filter in the kernel");
-            return -1;
-        }
-#else
+    if (seccomp_start() < 0) {
         qerror_report(ERROR_CLASS_GENERIC_ERROR,
-                      "sandboxing request but seccomp is not compiled into this build");
+                "failed to install seccomp syscall filter in the kernel");
         return -1;
-#endif
     }
+#else
+    qerror_report(ERROR_CLASS_GENERIC_ERROR,
+            "sandboxing requested but seccomp is not compiled into this build");
+    return -1;
+#endif
+    return 0;
+}
+
 
+static int parse_sandbox(QemuOpts *opts, void *opaque)
+{
+    if (!qemu_opt_get_bool(opts, "enable", true)) {
+        seccomp_on = false;
+    }
     return 0;
 }
 
@@ -3320,6 +3329,13 @@  int main(int argc, char **argv, char **envp)
         exit(1);
     }
 
+    /* We should install seccomp filters even if -sandbox on is not used. */
+    if (seccomp_on) {
+        if (install_seccomp_filters() < 0) {
+            exit(1);
+        }
+    }
+
     if (machine == NULL) {
         fprintf(stderr, "No machine found.\n");
         exit(1);

[2/4] Setting "-sandbox on" as deafult

Commit Message

Comments

Patch