Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to comman

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to comman

From:	Daniel P. Berrange
Subject:	Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line
Date:	Wed, 2 Aug 2017 13:38:58 +0100
User-agent:	Mutt/1.8.3 (2017-05-23)

On Wed, Aug 02, 2017 at 01:33:56PM +0100, Daniel P. Berrange wrote:
> On Fri, Jul 28, 2017 at 02:10:36PM +0200, Eduardo Otubo wrote:
> > This patch introduces the argument [,obsolete=allow] to the `-sandbox on'
> > option. It allows Qemu to run safely on old system that still relies on
> > old system calls.
> > 
> > Signed-off-by: Eduardo Otubo <address@hidden>
> > ---
> >  include/sysemu/seccomp.h |  4 +++-
> >  qemu-options.hx          |  9 +++++++--
> >  qemu-seccomp.c           | 32 +++++++++++++++++++++++++++++++-
> >  vl.c                     | 16 +++++++++++++++-
> >  4 files changed, 56 insertions(+), 5 deletions(-)


> > @@ -1032,7 +1036,17 @@ static int parse_sandbox(void *opaque, QemuOpts 
> > *opts, Error **errp)
> >  {
> >      if (qemu_opt_get_bool(opts, "enable", false)) {
> >  #ifdef CONFIG_SECCOMP
> > -        if (seccomp_start() < 0) {
> > +        uint8_t seccomp_opts = 0x0000;
> > +        const char *value = NULL;
> > +
> > +        value = qemu_opt_get(opts, "obsolete");
> > +        if (value) {
> > +            if (strcmp(value, "allow") == 0) {
> > +                seccomp_opts |= OBSOLETE;
> > +            }
> > +        }
> 
> IIUC, the values will all be booleans, so we should just use
> 
>    if (qemu_opt_get_bool(opts, "obsolete", false))
>        seccomp_opts |= OBSOLETE;

Oh ignore this. I see from the next patch, we can't treat it as a boolean.

We should however explicitly look for 'value == deny', and then reject
all other values with an error message

> 
> > +
> > +        if (seccomp_start(seccomp_opts) < 0) {
> >              error_report("failed to install seccomp syscall filter "
> >                           "in the kernel");
> >              return -1;

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line, Daniel P. Berrange, 2017/08/02
- Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line, Daniel P. Berrange <=
- Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line, Eduardo Otubo, 2017/08/11
  - Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line, Daniel P. Berrange, 2017/08/11
  - Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line, Eduardo Otubo, 2017/08/11

Prev by Date: Re: [Qemu-devel] [PATCH v3 3/6] seccomp: add elevateprivileges argument to command line
Next by Date: Re: [Qemu-devel] [PATCH v3 6/6] seccomp: adding documentation to new seccomp model
Previous by thread: Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line
Next by thread: Re: [Qemu-devel] [PATCH v3 2/6] seccomp: add obsolete argument to command line
Index(es):
- Date
- Thread