e the frequency it is called by running strace?
Thanks for the patch.
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
platforms as well, with additional configure
patches, given they're tested and proven to work.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
configure | 32 +---
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/configure b/configure
index f7
From: Andrew Jones
cacheflush is an arm-specific syscall that qemu built for arm
uses. Add it to the whitelist, but only if we're linking with
a recent enough libseccomp.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 13 -
1 file changed, 12 inser
s (to me) new interfaces or critical bug fixes.
Signed-off-by: dann frazier
Acked-by: Eduardo Otubo
---
configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index dd47d9b..0a4c78a 100755
--- a/configure
+++ b/configure
@@ -1890,7 +1890,7 @@ fi
if
The following changes since commit 8337c6cbc37c6b2184f41bab3eaff47d5e68012a:
Update version for v2.5.0-rc0 release (2015-11-13 17:10:36 +)
are available in the git repository at:
git://github.com/otubo/qemu.git tags/pull-seccomp-20151116
for you to fetch changes up to ba060c53d585d186ff
On Mon, Nov 02, 2015 at 08=51=26AM +0100, Paolo Bonzini wrote:
>
>
> On 30/10/2015 14:44, Eduardo Otubo wrote:
> > From: Namsun Ch'o
> >
> > The seccomp sandbox doesn't whitelist setuid, setgid, or setgroups, which
> > are
> > needed for -runas
YS(inotify_init1), 240 },
> > { SCMP_SYS(inotify_add_watch), 240 },
> > { SCMP_SYS(mbind), 240 },
> > -{ SCMP_SYS(memfd_create), 240 }
> > +{ SCMP_SYS(memfd_create), 240 },
> > +#ifdef HAVE_CACHEFLUSH
> > +{ SCMP_SYS(cacheflush), 240 },
> > +#e
o without these whitelisted, -runas and -chroot cause
QEMU to be killed with -sandbox on. This patch adds those syscalls.
Signed-off-by: Namsun Ch'o
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 4
1 file changed, 4 insertions(+)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index e7a54e8..
From: Namsun Ch'o
This patch introduces madvise, shmget, shmctl and its flags to the
seccomp whitelist. This prevents Qemu to break in case of using -runas
or chroot with sandbox enabled.
Signed-off-by: Namsun Ch'o
Acked-by: Eduardo Otubo
---
Changelog:
v1
- Created argument filte
platforms as well, with additional configure
patches, given they're tested and proven to work.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
configure | 32 +---
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/configure b/configure
index f0
s (to me) new interfaces or critical bug fixes.
Signed-off-by: dann frazier
Acked-by: Eduardo Otubo
---
configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index 7d5aab2..8a9794b 100755
--- a/configure
+++ b/configure
@@ -1878,7 +1878,7 @@ fi
if
The following changes since commit c49d3411faae8ffaab8f7e5db47405a008411c10:
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-12' into
staging (2015-10-13 10:42:06 +0100)
are available in the git repository at:
git://github.com/otubo/qemu.git tags/pull-seccomp-20151030
f
From: Andrew Jones
cacheflush is an arm-specific syscall that qemu built for arm
uses. Add it to the whitelist.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index
t; else
> if test "$seccomp" = "yes"; then
> -feature_not_found "libseccomp" "Install libseccomp devel >=
> 2.1.1"
> +feature_not_found "libseccomp" "Install libseccomp devel >=
> 2.1.0"
> fi
> seccomp="no"
> fi
> --
> 2.6.1
>
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
On Fri, Oct 16, 2015 at 05=12=18PM +0100, Peter Maydell wrote:
> On 15 October 2015 at 08:57, Eduardo Otubo
> wrote:
> > The following changes since commit c49d3411faae8ffaab8f7e5db47405a008411c10:
> >
> > Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-
o without these whitelisted, -runas and -chroot cause
QEMU to be killed with -sandbox on. This patch adds those syscalls.
Signed-off-by: Namsun Ch'o
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 4
1 file changed, 4 insertions(+)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index e7a54e8..
From: Andrew Jones
cacheflush is an arm-specific syscall that qemu built for arm
uses. Add it to the whitelist.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index
ead of IPC_CREAT.
- Removed the comma on the last entry of the madvise_flags array.
- Removed one madvise flag (MADV_INVALID) which doesn't exist, apparently.
Signed-off-by: Namsun Ch'o
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 58
platforms as well, with additional configure
patches, given they're tested and proven to work.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
configure | 32 +---
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/configure b/configure
index f0
The following changes since commit c49d3411faae8ffaab8f7e5db47405a008411c10:
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-12' into
staging (2015-10-13 10:42:06 +0100)
are available in the git repository at:
git://github.com/otubo/qemu.git tags/pull-seccomp-20151015
f
On Wed, Oct 14, 2015 at 03=25=00PM +0200, Markus Armbruster wrote:
> Andrew Jones writes:
>
> > On Wed, Oct 14, 2015 at 11:03:37AM +0200, Eduardo Otubo wrote:
> >> On Tue, Sep 29, 2015 at 11=39=46AM +0200, Eduardo Otubo wrote:
> >> > On Thu, Sep 24, 2015 at 03=
From: Andrew Jones
cacheflush is an arm-specific syscall that qemu built for arm
uses. Add it to the whitelist.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index
ead of IPC_CREAT.
- Removed the comma on the last entry of the madvise_flags array.
- Removed one madvise flag (MADV_INVALID) which doesn't exist, apparently.
Signed-off-by: Namsun Ch'o
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 58
o without these whitelisted, -runas and -chroot cause
QEMU to be killed with -sandbox on. This patch adds those syscalls.
Signed-off-by: Namsun Ch'o
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-sec
platforms as well, with additional configure
patches, given they're tested and proven to work.
Signed-off-by: Andrew Jones
Acked-by: Eduardo Otubo
---
configure | 32 +---
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/configure b/configure
index f0
The following changes since commit c49d3411faae8ffaab8f7e5db47405a008411c10:
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-12' into
staging (2015-10-13 10:42:06 +0100)
are available in the git repository at:
git://github.com/otubo/qemu.git tags/pull-seccomp-20151014
f
On Tue, Sep 29, 2015 at 11=39=46AM +0200, Eduardo Otubo wrote:
> On Thu, Sep 24, 2015 at 03=50=04PM +0200, Andrew Jones wrote:
> > On Thu, Sep 24, 2015 at 11:31:19AM +0200, Eduardo Otubo wrote:
> > > On Wed, Jul 01, 2015 at 09=12=33AM -0400, Andrew Jones wrote:
> >
ovider that provides
> IMAP, then use a standalone e-mail application such as Thunderbird,
> Claws Mail, Mutt or (if you use Emacs) Gnus.
Exactly.
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
On Fri, Oct 09, 2015 at 05=17=41PM +0200, marcandre.lur...@redhat.com wrote:
> From: Eduardo Otubo
>
> This is used by memfd code.
>
> Signed-off-by: Eduardo Otubo
> Signed-off-by: Marc-André Lureau
> ---
> qemu-seccomp.c | 3 ++-
> 1 file changed, 2 insertions(
Yes, it sure does. I'll prepare a patch for that right away. Thanks for
pointing that, Peter. I didn't notice.
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
ustification enough to whitelist more
syscalls, but we can come up with a better solution for this (continue
the thread) and tighten up this in the future.
Thanks for your contribution.
Acked-by: Eduardo Otubo
ps.: the threads are still being broken by your emails and it's a pain
to track
On Fri, Oct 02, 2015 at 03=15=05PM +0100, Daniel P. Berrange wrote:
> On Fri, Oct 02, 2015 at 04:08:20PM +0200, Eduardo Otubo wrote:
> > On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote:
> > > "Daniel P. Berrange" writes:
> > >
> > &
> > Yeah, I think it would be better to move the seccomp enablement later.
>
> Let's do that then.
Where exactly you guys think we could call seccomp enablement? Right
it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I
guess it is as later as it could.
>
> > Adding setuid and chroot to the allow list is pretty strongly undesirable
> > from a security protection POV.
>
> Indeed.
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
On Tue, Sep 29, 2015 at 05=22=44PM +0200, Eduardo Otubo wrote:
> On Fri, Sep 25, 2015 at 12=50=36AM -0400, Namsun Ch'o wrote:
> > Here's the v3 patch. I applied it and compiled QEMU, and it worked fine.
> >
> > Changes so far:
> > v1
> > - Created ar
r"
> +else
> +feature_not_found "libseccomp" \
> +"libseccomp is not supported for host cpu $cpu"
> +fi
> +fi
> +seccomp="no"
> fi
> fi
> ##
> --
> 2.5.2
>
The patch does look good, but I'll just delay a little bit the pull
request due to more patches incoming. I just want to create a single
batch. Is ok if we just merge it mid or end of next week?
Thanks for the contribution.
Acked-by: Eduardo Otubo
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
ould be a #define somewhere that toggles whether or not a
> syscall argument filter can be created for a syscall which is not in the
> built-in whitelist, otherwise it would throw an error saying that you cannot
> create an argument filter for a syscall that is not permitted.
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
) {
> +goto seccomp_return;
> +}
> +
> +/* shmctl */
> +rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2,
> +SCMP_A1(SCMP_CMP_EQ, IPC_RMID),
> +SCMP_A2(SCMP_CMP_EQ, 0));
> +if (rc < 0) {
> +goto seccomp_retur
On Thu, Sep 24, 2015 at 03=50=04PM +0200, Andrew Jones wrote:
> On Thu, Sep 24, 2015 at 11:31:19AM +0200, Eduardo Otubo wrote:
> > On Wed, Jul 01, 2015 at 09=12=33AM -0400, Andrew Jones wrote:
> > > cacheflush is an arm-specific syscall that qemu built for arm
> > > us
3?
This helps keep tracking of ideas and discussions.
Thanks a lot for the contribution!
> +if (rc < 0) {
> +goto seccomp_return;
> +}
> +rc = seccomp_syscall_priority(ctx, SCMP_SYS(shmget), 240);
> +if (rc < 0) {
> +goto seccomp_return;
> +}
> +
> +/* shmctl */
> +rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 2,
> +SCMP_A1(SCMP_CMP_EQ, IPC_RMID),
> +SCMP_A2(SCMP_CMP_EQ, 0));
> +if (rc < 0) {
> +goto seccomp_return;
> +}
> +rc = seccomp_syscall_priority(ctx, SCMP_SYS(shmctl), 240);
> +if (rc < 0) {
> +goto seccomp_return;
> +}
> +
> rc = seccomp_load(ctx);
>
>seccomp_return:
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
, 240 },
> -{ SCMP_SYS(mbind), 240 }
> + { SCMP_SYS(mbind), 240 },
> +{ SCMP_SYS(cacheflush), 240 },
> };
>
> int seccomp_start(void)
> --
> 2.1.0
>
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
On Wed, Jul 29, 2015 at 11=38=44AM +0100, Dr. David Alan Gilbert wrote:
> * Eduardo Otubo (eduardo.ot...@profitbricks.com) wrote:
> > On Wed, Jul 29, 2015 at 10=32=59AM +0100, Dr. David Alan Gilbert wrote:
> > > * Eduardo Otubo (eduardo.ot...@profitbricks.com) wrote:
> >
On Wed, Jul 29, 2015 at 10=32=59AM +0100, Dr. David Alan Gilbert wrote:
> * Eduardo Otubo (eduardo.ot...@profitbricks.com) wrote:
> > On Wed, Jul 29, 2015 at 09=11=21AM +0100, Dr. David Alan Gilbert wrote:
> > > * Eduardo Otubo (eduardo.ot...@profitbricks.com) wrote:
> >
On Wed, Jul 29, 2015 at 09=11=21AM +0100, Dr. David Alan Gilbert wrote:
> * Eduardo Otubo (eduardo.ot...@profitbricks.com) wrote:
> > On Tue, Jul 28, 2015 at 04=19=46PM +0100, Dr. David Alan Gilbert wrote:
> > > * Eduardo Otubo (eduardo.ot...@profitbricks.com) wrote:
On Tue, Jul 28, 2015 at 04=19=46PM +0100, Dr. David Alan Gilbert wrote:
> * Eduardo Otubo (eduardo.ot...@profitbricks.com) wrote:
> > Hello all,
> >
> > I'm facing a weird behavior on my tests: I am able to live migrate
> > between two virtual machines on
al to remote, the guest hangs. I still can access its
console via ctrl+alt+2, though, and everything seems to be normal. If I
issue a reboote via console on the remote, the guest gets back to
normal.
Am I missing something here?
Regards,
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Descri
kend: 0
> >size: 1073741824
> >merge: true
> >dump: true
> >prealloc: false
> >policy: default
> >host nodes:
> >
> > How was the environment when you tested this feature?
> Most likely I've used RHEL7.1 as guest with latest systemd
> which onlines hotplugged memory automatically on hotplug.
I tried with Ubuntu 15.04, latest kernel 4.2 and systemd, still not
working. I'm downloading CentOS-7, I'll setup with systemd and proper
kernel configuration. I'll let you know the results.
Thanks a lot for the help so far! :)
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
On Fri, Jun 26, 2015 at 11=37=43AM +0800, Zhu Guihua wrote:
> Hi,
> On 06/24/2015 09:28 PM, Eduardo Otubo wrote:
> >Hello Zhu,
> >
> >Are you still working on this feature? Could you provide a rebased
> >version of this series?
>
> Sorry for late reply.
&g
On Tue, Jun 30, 2015 at 05=56=02PM +0200, Igor Mammedov wrote:
> On Tue, 30 Jun 2015 15:56:13 +0200
> Eduardo Otubo wrote:
>
> > On Tue, Jun 30, 2015 at 11=18=21AM +0200, Igor Mammedov wrote:
> > > On Tue, 30 Jun 2015 10:07:52 +0200
> > > Eduardo Otubo
On Tue, Jun 30, 2015 at 11=18=21AM +0200, Igor Mammedov wrote:
> On Tue, 30 Jun 2015 10:07:52 +0200
> Eduardo Otubo wrote:
>
> > Hello all,
> >
> > I compiled the HEAD of the master branch and was testing memory
> > hotunplug and got to this issue. Note: I follo
On Fri, Jun 26, 2015 at 11=37=43AM +0800, Zhu Guihua wrote:
> Hi,
> On 06/24/2015 09:28 PM, Eduardo Otubo wrote:
> >Hello Zhu,
> >
> >Are you still working on this feature? Could you provide a rebased
> >version of this series?
>
> Sorry for late reply.
&g
n grub, in both situations I got
the same behavior. Anyone also got the same issue? I'll also try with a
different distro and will post back.
Regards,
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
hw/qdev-core.h| 1 +
> include/qom/cpu.h | 9 ++++
> include/sysemu/kvm.h | 1 +
> kvm-all.c | 57 -
> target-i386/cpu.c | 46 +
> 17 files changed, 377 insertions(+), 27 deletions(-)
>
> --
> 1.9.3
>
>
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
edov wrote:
> > > > On Thu, 11 Jun 2015 10:39:05 +0300
> > > > Fahri Cihan Demirci wrote:
> > > >
> > > > > On Tue, Jun 09, 2015 at 05:44:15PM +0200, Eduardo Otubo wrote:
> > > > > > Hello all,
> > > > > >
&
hing that is not
done yet -- for some reason please let me know how to help. We have a
lot of interest on this feature for our projects.
Regards,
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
re, we may
> > provide feedback, testing or help in the development effort. Any other
> > input, guidance or corrections would be also most welcome. Thank you.
> >
> > [1] http://wiki.qemu.org/Features/CPUHotplug
> >
> >
> > Best regards,
> > Fahri Cihan Demirci
>
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
d[1] for that. I provided the patch (before the
pull reuqest) requesting for some review and testing but never heard
back again. Also CC'ing Karl-Philipp Richter (bug owner) for some
opinions on that as well.
Regards,
[0] http://sourceforge.net/p/libseccomp/mailman/message/32955831/
[1] https://bugs.launchpad.net/qemu/+bug/1363641
--
Eduardo Otubo
ProfitBricks GmbH
signature.asc
Description: Digital signature
.
Signed-off-by: Eduardo Otubo
Reported-by: Juan Quintela
---
configure | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index cbe6495..09c9225 100755
--- a/configure
+++ b/configure
@@ -1848,13 +1848,19 @@ fi
# libseccomp check
if test "$se
On Thu, Mar 26, 2015 at 02=44=14PM +, Peter Maydell wrote:
> On 26 March 2015 at 14:37, Eduardo Otubo
> wrote:
> > I completely understand your concern. Perhaps a ping on libseccomp
> > Fedora package maintainer would be a better way to tackle this issue
> > instead
On Thu, Mar 26, 2015 at 03=09=19PM +0100, Juan Quintela wrote:
> Juan Quintela wrote:
> > Eduardo Otubo wrote:
> >> Libseccomp version updated to 2.2.0 and arch restriction to x86/x86_64
> >> is now removed. It's supposed to work on armv7l as we
On Thu, Mar 26, 2015 at 02=38=55PM +0100, Juan Quintela wrote:
> Eduardo Otubo wrote:
> > Libseccomp version updated to 2.2.0 and arch restriction to x86/x86_64
> > is now removed. It's supposed to work on armv7l as well.
> >
> > Related bug: https://bugs
Eduardo Otubo (1):
seccomp: update libseccomp version and remove arch restriction
configure | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--
1.9.1
Libseccomp version updated to 2.2.0 and arch restriction to x86/x86_64
is now removed. It's supposed to work on armv7l as well.
Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
Signed-off-by: Eduardo Otubo
---
configure | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
Libseccomp 2.2.0 is now released, can you please try the attached patch
and check if it works for you? Regards.
** Patch added:
"0001-seccomp-update-libseccomp-version-and-remove-arch-re.patch"
https://bugs.launchpad.net/qemu/+bug/1363641/+attachment/4347723/+files/0001-seccomp-update-libsecc
The following changes since commit 8f970eff6e318524f189f105c236e47633759890:
Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150122-1' into
staging (2015-01-22 17:41:59 +)
are available in the git repository at:
https://github.com/otubo/qemu.git tags/pull-seccomp-2015012
From: Paolo Bonzini
This is used by "-realtime mlock=on".
Signed-off-by: Eduardo Otubo
Signed-off-by: Paolo Bonzini
Reviewed-by: Amit Shah
Reviewed-by: Eduardo Habkost
Tested-by: Eduardo Habkost
Acked-by: Eduardo Otubo
---
qemu-seccomp.c | 1 +
1 file changed, 1 insertion(+)
{ SCMP_SYS(mlockall), 240 },
> { SCMP_SYS(mlock), 240 },
> { SCMP_SYS(munlock), 240 },
> { SCMP_SYS(semctl), 240 },
> --
> 2.1.0
>
Signed-off-by: Eduardo Otubo
Acked-by: Eduardo Otubo
I'll make a pull request by Friday at the end of the day. Thanks for the
patch.
--
Eduardo Otubo
ProfitBricks GmbH
Error message was misleading people to install wrong version of
libseccomp.
Signed-off-by: Eduardo Otubo
---
configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index cae588c..7539645 100755
--- a/configure
+++ b/configure
@@ -1830,7 +1830,7 @@ if
From: Paul Moore
The "memory-backend-ram" QOM object utilizes the mbind(2) syscall to
set the policy for a memory range. Add the syscall to the seccomp
sandbox whitelist.
Signed-off-by: Paul Moore
Signed-off-by: Eduardo Otubo
Acked-by: Eduardo Otubo
Tested-by: Eduardo Habkost
R
he syscall whitelist
--------
Eduardo Otubo (1):
seccomp: typo in configure error message
Paul Moore (1):
seccomp: add mbind() to the syscall whitelist
configure | 2 +-
qemu-seccomp.c | 3 ++-
2 files changed, 3 insertions(+), 2
Hello Ben, I just submitted a pull request to fix the issue you
reported:
http://lists.gnu.org/archive/html/qemu-devel/2014-12/msg03134.html
Thanks again.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bu
Error message was misleading people to install wrong version of
libseccomp.
Signed-off-by: Eduardo Otubo
---
configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index cae588c..7539645 100755
--- a/configure
+++ b/configure
@@ -1830,7 +1830,7 @@ if
he syscall whitelist
--------
Eduardo Otubo (1):
seccomp: typo in configure error message
Paul Moore (1):
seccomp: add mbind() to the syscall whitelist
configure | 2 +-
qemu-seccomp.c | 3 ++-
2 files changed, 3 insertions(+), 2
From: Paul Moore
The "memory-backend-ram" QOM object utilizes the mbind(2) syscall to
set the policy for a memory range. Add the syscall to the seccomp
sandbox whitelist.
Signed-off-by: Paul Moore
Tested-by: Eduardo Habkost
Reviewed-by: Eduardo Habkost
Acked-by: Eduardo Otubo
ccomp_whitelist[] = {
> { SCMP_SYS(fallocate), 240 },
> { SCMP_SYS(fadvise64), 240 },
> { SCMP_SYS(inotify_init1), 240 },
> -{ SCMP_SYS(inotify_add_watch), 240 }
> +{ SCMP_SYS(inotify_add_watch), 240 },
> +{ SCMP_SYS(mbind), 240 }
> };
>
> int seccom
Hello Ben, you're completely right on what regards the version on the
error message. I'll fix it as soon as possible. Sorry for the trouble on
that :( (and sorry for the late reply I was on vacations)
Regarding the if statement, as Peter said here --
http://lists.gnu.org/archive/html/qemu-devel/20
This commit temporarily fixes this problem.
http://git.qemu.org/?p=qemu.git;a=commit;h=4cc47f8b3cc4f32586ba2f7fce1dc267da774a69
As soon as libseccomp makes a new release I'll update the dependency and
hopefully it will be fixed with proper library support.
--
You received this bug notification
On Mon, Nov 10, 2014 at 08:50:07PM +, Peter Maydell wrote:
> On 10 November 2014 14:21, Eduardo Otubo
> wrote:
> > Hi,
> >
> > This is the seccomp branch queue with fixes regarding a build crach on
> > armv7l
> > and adding new syscalls to the whitelist.
rity.
Signed-off-by: Philipp Gesang
Signed-off-by: Eduardo Otubo
---
qemu-seccomp.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 0503764..af6a375 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -231,7 +231,11 @@
)
seccomp: change configure to avoid arm 32 to break
seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and
inotify_add_watch()
Eduardo Otubo (1):
seccomp: change configure to avoid arm 32 to break
-off-by: Eduardo Otubo
Reviewed-by: Peter Maydell
Acked-by: Paul Moore
---
configure | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index 2f17bf3..47048f0 100755
--- a/configure
+++ b/configure
@@ -1823,7 +1823,8 @@ fi
# libseccomp check
if test
-off-by: Eduardo Otubo
---
configure | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index 2f17bf3..47048f0 100755
--- a/configure
+++ b/configure
@@ -1823,7 +1823,8 @@ fi
# libseccomp check
if test "$seccomp" != "no" ; then
From: Philipp Gesang
fallocate() is needed for snapshotting. If it isn’t whitelisted
$ qemu-img create -f qcow2 x.qcow 1G
Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off
cluster_size=65536 lazy_refcounts=off
$ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
)
seccomp: change configure to avoid arm 32 to break
seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and
inotify_add_watch()
Eduardo Otubo (1):
seccomp: change configure to avoid arm 32 to
-off-by: Eduardo Otubo
---
configure | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index 2f17bf3..47048f0 100755
--- a/configure
+++ b/configure
@@ -1823,7 +1823,8 @@ fi
# libseccomp check
if test "$seccomp" != "no" ; then
On Thu, Nov 06, 2014 at 11:22:16AM -0500, Paul Moore wrote:
> On Thursday, November 06, 2014 03:49:18 PM Eduardo Otubo wrote:
> > Right now seccomp is breaking the compilation of Qemu on armv7l due
> > to libsecomp current lack of support for this arch. This problem is
>
On Thu, Nov 06, 2014 at 03:49:04PM +, Peter Maydell wrote:
> On 6 November 2014 14:49, Eduardo Otubo
> wrote:
> > Right now seccomp is breaking the compilation of Qemu on armv7l due
> > to libsecomp current lack of support for this arch. This problem is
> > alr
libseccomp does a new release. Then I'll remove the
hack and update libseccomp dependency on configure script.
Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
Signed-off-by: Eduardo Otubo
---
configure | 20 +++-
1 file changed, 11 insertions(+), 9 deletions(-)
diff --
On Wed, Nov 05, 2014 at 03:35:09PM -0500, Paul Moore wrote:
> On Wednesday, November 05, 2014 08:08:06 PM Peter Maydell wrote:
> > On 5 November 2014 19:46, Paul Moore wrote:
> > > On Wednesday, November 05, 2014 05:08:20 PM Peter Maydell wrote:
> > >> On 5 Nove
libseccomp does a new release. Then I'll remove the
hack and update libseccomp dependency on configure script.
Related bug: https://bugs.launchpad.net/qemu/+bug/1363641
Signed-off-by: Eduardo Otubo
---
configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/conf
On Fri, Sep 19, 2014 at 08:11:14AM -0700, Peter Maydell wrote:
> On 19 September 2014 07:38, Eduardo Otubo
> wrote:
> > On Fri, Sep 19, 2014 at 4:15 PM, Peter Maydell
> > wrote:
> >> ...how about fixing your compile errors on non-x86 platforms
> >> befor
The fix for the syscalls problem is already upstream at libseccomp [0] .
The maintainer said he has no plans yet to make a new release, though.
[0] -- http://sourceforge.net/p/libseccomp/mailman/libseccomp-
discuss/thread/1661272.9kVko5ssCn%40sifl/#msg32956301
--
You received this bug notificati
On Fri, Sep 19, 2014 at 4:15 PM, Peter Maydell wrote:
> On 19 September 2014 06:22, Eduardo Otubo
> wrote:
>> The following changes since commit 10e11f4d2bf171f99c6b13883a510acfbc5dd585:
>>
>> Merge remote-tracking branch 'remotes/mst/tags/for_upstream' int
rity.
Signed-off-by: Philipp Gesang
Signed-off-by: Eduardo Otubo
---
qemu-seccomp.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 0503764..af6a375 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -231,7 +231,11 @@
The following changes since commit 10e11f4d2bf171f99c6b13883a510acfbc5dd585:
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
(2014-09-18 20:02:01 +0100)
are available in the git repository at:
git://github.com/otubo/qemu.git tags/goto-upstream
for you to fetch ch
> +{ SCMP_SYS(semctl), 240 },
> +{ SCMP_SYS(fallocate), 240 },
> +{ SCMP_SYS(fadvise64), 240 },
> +{ SCMP_SYS(inotify_init1), 240 },
> +{ SCMP_SYS(inotify_add_watch), 240 }
> };
>
> int seccomp_start(void)
> --
> 1.9.3
>
--
Eduardo Otubo
ProfitBricks
From: Paul Moore
QEMU needs to call semctl() for correct operation. This particular
problem was identified on shutdown with the following commandline:
# qemu -sandbox on -monitor stdio \
-device intel-hda -device hda-duplex -vnc :0
Signed-off-by: Paul Moore
Signed-off-by: Eduardo Otubo
The following changes since commit 2656eb7c599e306b95bad82b1372fc49ba3088f6:
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140819'
into staging (2014-08-20 09:55:42 +0100)
are available in the git repository at:
g...@github.com:otubo/qemu.git seccomp
for you to fet
On Fri, Jul 11, 2014 at 2:19 PM, Markus Armbruster wrote:
> Eduardo Otubo writes:
>
>> On Fri, Jul 11, 2014 at 1:12 PM, Markus Armbruster wrote:
>>> [Top-quote moved to its rightful place; please do not top quote on
>>> technical lists]
>>>
>>&g
machine to the destination successfully, then blow
> up there right away, or some time later, taking down your machine. It
> could migrate successfully, but silently corrupt data.
>
> Regardless of how it breaks, you get to keep the pieces.
What you're saying is that there's no way to migrate (live or offline)
from Qemu 1.0/1.2 to 2.0 in a *safe way* whatever OS I'm running on
it?
--
Eduardo Otubo
ProfitBricks
50636faaf1ad9493a9341f4eade4f0f0697ee0d6:
[seccomp] changing email contact for Eduardo Otubo (2014-07-02 12:44:20 +0200)
Eduardo Otubo (1):
[seccomp] changing email contact for Eduardo Otubo
MAINTAINERS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
201 - 300 of 461 matches
Mail list logo
