subject:"\[libvirt\] \[PATCHv2 1\/4\] Introduce QEMU_CAPS_SECCOMP

Re: [libvirt] [PATCHv2 1/4] Introduce QEMU_CAPS_SECCOMP_BLACKLIST

2018-04-16 Thread Daniel P . Berrangé

On Tue, Apr 10, 2018 at 04:49:39PM +0200, Ján Tomko wrote:
> QEMU commit 1bd6152 changed the default behavior from whitelist
> to blacklist and introduced a few sets of system calls.
> 
> Use the 'elevateprivileges' parameter of -sandbox as a witness
> of this change.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1492597
> 
> Signed-off-by: Ján Tomko 
> ---
>  src/qemu/qemu_capabilities.c   | 2 ++
>  src/qemu/qemu_capabilities.h   | 1 +
>  tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  | 1 +
>  7 files changed, 8 insertions(+)

Reviewed-by: Daniel P. Berrangé 


> 
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index 35905e993..729e29e20 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c
> @@ -468,6 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
>"virtio-tablet-ccw",
>"qcow2-luks",
>"pcie-pci-bridge",
> +  "seccomp-blacklist",
>  );
>  
>  
> @@ -3214,6 +3215,7 @@ static struct virQEMUCapsCommandLineProps 
> virQEMUCapsCommandLine[] = {
>  { "machine", "loadparm", QEMU_CAPS_LOADPARM },
>  { "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
>  { "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
> +{ "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
>  };
>  
>  static int
> diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
> index bec28cae9..d88102f34 100644
> --- a/src/qemu/qemu_capabilities.h
> +++ b/src/qemu/qemu_capabilities.h
> @@ -452,6 +452,7 @@ typedef enum {
>  QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */
>  QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
>  QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
> +QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
>  
>  QEMU_CAPS_LAST /* this must always be the last item */
>  } virQEMUCapsFlags;
> diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml 
> b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
> index cbd645ae9..3861666e5 100644
> --- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
> +++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
> @@ -151,6 +151,7 @@
>
>
>
> +  
>2011000
>0
>342058
> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml 
> b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
> index 66629ff5b..39238a9b6 100644
> --- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
> +++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
> @@ -189,6 +189,7 @@
>
>
>
> +  
>2011090
>0
>342346
> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml 
> b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
> index 1122d6408..6bf293b9d 100644
> --- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
> +++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
> @@ -186,6 +186,7 @@
>
>
>
> +  
>2011090
>0
>419215
> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml 
> b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
> index 191b1e0e3..b77aec9c9 100644
> --- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
> +++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
> @@ -151,6 +151,7 @@
>
>
>
> +  
>2011090
>0
>0
> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml 
> b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
> index 4ed2e1ea9..1bb825c9b 100644
> --- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
> +++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
> @@ -227,6 +227,7 @@
>
>
>
> +  
>2011090
>0
>390060
> -- 
> 2.16.1
> 
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv2 1/4] Introduce QEMU_CAPS_SECCOMP_BLACKLIST

2018-04-15 Thread John Ferlan



On 04/10/2018 10:49 AM, Ján Tomko wrote:
> QEMU commit 1bd6152 changed the default behavior from whitelist
> to blacklist and introduced a few sets of system calls.
> 
> Use the 'elevateprivileges' parameter of -sandbox as a witness
> of this change.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1492597
> 
> Signed-off-by: Ján Tomko 
> ---
>  src/qemu/qemu_capabilities.c   | 2 ++
>  src/qemu/qemu_capabilities.h   | 1 +
>  tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   | 1 +
>  tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  | 1 +
>  7 files changed, 8 insertions(+)
> 

Reviewed-by: John Ferlan 

John

Although I think this should be patch 3...  not that it really matters.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCHv2 1/4] Introduce QEMU_CAPS_SECCOMP_BLACKLIST

2018-04-10 Thread Ján Tomko

QEMU commit 1bd6152 changed the default behavior from whitelist
to blacklist and introduced a few sets of system calls.

Use the 'elevateprivileges' parameter of -sandbox as a witness
of this change.

https://bugzilla.redhat.com/show_bug.cgi?id=1492597

Signed-off-by: Ján Tomko 
---
 src/qemu/qemu_capabilities.c   | 2 ++
 src/qemu/qemu_capabilities.h   | 1 +
 tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   | 1 +
 tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
 tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   | 1 +
 tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   | 1 +
 tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  | 1 +
 7 files changed, 8 insertions(+)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 35905e993..729e29e20 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -468,6 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
   "virtio-tablet-ccw",
   "qcow2-luks",
   "pcie-pci-bridge",
+  "seccomp-blacklist",
 );
 
 
@@ -3214,6 +3215,7 @@ static struct virQEMUCapsCommandLineProps 
virQEMUCapsCommandLine[] = {
 { "machine", "loadparm", QEMU_CAPS_LOADPARM },
 { "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
 { "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
+{ "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
 };
 
 static int
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index bec28cae9..d88102f34 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -452,6 +452,7 @@ typedef enum {
 QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */
 QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
 QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
+QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
 
 QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;
diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml 
b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
index cbd645ae9..3861666e5 100644
--- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
@@ -151,6 +151,7 @@
   
   
   
+  
   2011000
   0
   342058
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml 
b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
index 66629ff5b..39238a9b6 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
@@ -189,6 +189,7 @@
   
   
   
+  
   2011090
   0
   342346
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml 
b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
index 1122d6408..6bf293b9d 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
@@ -186,6 +186,7 @@
   
   
   
+  
   2011090
   0
   419215
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml 
b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
index 191b1e0e3..b77aec9c9 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
@@ -151,6 +151,7 @@
   
   
   
+  
   2011090
   0
   0
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml 
b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
index 4ed2e1ea9..1bb825c9b 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
@@ -227,6 +227,7 @@
   
   
   
+  
   2011090
   0
   390060
-- 
2.16.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv2 1/4] Introduce QEMU_CAPS_SECCOMP_BLACKLIST

Re: [libvirt] [PATCHv2 1/4] Introduce QEMU_CAPS_SECCOMP_BLACKLIST

[libvirt] [PATCHv2 1/4] Introduce QEMU_CAPS_SECCOMP_BLACKLIST

3 matches

Site Navigation

Mail list logo

Footer information