[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-ppc] [Qemu-devel] [PATCH] Allow -sandbox off with --disable-se
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [Qemu-ppc] [Qemu-devel] [PATCH] Allow -sandbox off with --disable-seccomp |
|
Date: |
Wed, 27 Feb 2019 14:08:43 +0000 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Wed, Feb 27, 2019 at 07:59:11AM -0600, Eric Blake wrote:
> On 2/27/19 5:01 AM, Daniel P. Berrangé wrote:
> > On Wed, Feb 27, 2019 at 12:21:32PM +1100, David Gibson wrote:
> >> At present, when seccomp support is compiled out with --disable-seccomp
> >> we fail with an error if the user puts -sandbox on the command line.
> >>
> >> That kind of makes sense, but it's a bit strange that we reject a request
> >> to disable sandboxing with "-sandbox off" saying we don't support
> >> sandboxing.
> >>
> >> This puts in a small sandbox to (correctly) silently ignore -sandbox off
> >> when we don't have sandboxing support compiled in. This makes life easier
> >> for testcases, since they can safely specify "-sandbox off" without having
> >> to care if the qemu they're using is compiled with sandbox support or not.
> >>
> >> Signed-off-by: David Gibson <address@hidden>
>
> > '-sandbox off' is just syntax sugar for '-sandbox enable=off', with
> > the default arg name handled by QemuOpts.
>
> Except that libvirt probes, via query-command-line-options, whether the
> '-sandbox' option supports the 'enable' key. You risk breaking
> introspection (where libvirt knows NOT to use enable=on|off) if -sandbox
> enable=off is advertised even when the feature is not compiled in.
It is even more complex than that. Libvirt looks for "elevateprivileges"
option to decide to enable the sandbox. It only looks for "enable" when
libvirt is configured to disable the sandbox, at which point is sets
"-sandbox off". So I don't think my suggestion should break it.
I do hate the idea of QEMU tailoring its CLI handling to suit the
current specific impl of one client app though.
If anything I'd suggest we should completely disable any parsing
of -sandbox when seccomp is disabled, rather than leaving getopt
to parse -sandbox and then raise an error.
>
> >
> > If we want to keep ability to run "-sandbox off" we should do it via
> > the QEMU opts code we already have in the first part of the conditional,
> > so that "-sandbox enable=off" also works as normal.
> >
> > Essentially we need to push the #ifdef CONFIG_SECCOMP down into the
> > parse_sandbox method, so that it parses the "enable" option normally
> > but rejects any value except disabled..
> >
> > The QemuOptsList should also be conditional to only register the
> > "enable" arg and not the other bits.
>
> Whatever we do here had better be careful that the introspection used by
> libvirt doesn't break, when libvirt is trying to learn when seccomp was
> not compiled in.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|