1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] set default seccompSandbox as 0 for qemu

zhenwei pi posted 1 patch 5 years, 11 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/1526643453-9608-1-git-send-email-zhenwei.pi@youruncloud.com
Test syntax-check passed
src/qemu/qemu_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[libvirt] [PATCH] set default seccompSandbox as 0 for qemu
Posted by zhenwei pi 5 years, 11 months ago 
start qemu fail : qemu-system-x86_64: -sandbox on,obsolete=deny,
    elevateprivileges=deny,spawn=deny,resourcecontrol=deny:
    seccomp support is disabled
libvirt version : 4.3
qemu version : 2.12
reproducer : recompile qemu with ./configure --disable-seccomp, or
    remove libseccomp package.

with default seccompSandbox -1, libvirt try to get config from qemu
cmdline. if qemu disables seccomp (or misses seccomp package), qemu
still reports sandbox help message. libvirt mistakens about qemu real
capability.

set default seccompSandbox as 0 in code, and still get user conf
from qemu.conf. if user wants to enable seccomp, he should check
qemu firstly, then use the right qemu.conf.

Signed-off-by: zhenwei pi <zhenwei.pi@youruncloud.com>
---
 src/qemu/qemu_conf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 277ab83..d17b4b1 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -313,7 +313,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
 
     cfg->keepAliveInterval = 5;
     cfg->keepAliveCount = 5;
-    cfg->seccompSandbox = -1;
+    cfg->seccompSandbox = 0;
 
     cfg->logTimestamp = true;
     cfg->glusterDebugLevel = 4;
-- 
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] set default seccompSandbox as 0 for qemu
Posted by Daniel P. Berrangé 5 years, 11 months ago 
On Fri, May 18, 2018 at 07:37:33PM +0800, zhenwei pi wrote:
> start qemu fail : qemu-system-x86_64: -sandbox on,obsolete=deny,
>     elevateprivileges=deny,spawn=deny,resourcecontrol=deny:
>     seccomp support is disabled
> libvirt version : 4.3
> qemu version : 2.12
> reproducer : recompile qemu with ./configure --disable-seccomp, or
>     remove libseccomp package.
> 
> with default seccompSandbox -1, libvirt try to get config from qemu
> cmdline. if qemu disables seccomp (or misses seccomp package), qemu
> still reports sandbox help message. libvirt mistakens about qemu real
> capability.
> 
> set default seccompSandbox as 0 in code, and still get user conf
> from qemu.conf. if user wants to enable seccomp, he should check
> qemu firstly, then use the right qemu.conf.

This means that everyone who has a sensibly built QEMU will not have
seccomp enabled out of the box.

IMHO it someone has chosen to turn off seccomp when building QEMU
they can just set this qemu.conf parameter to zero themselves.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] set default seccompSandbox as 0 for qemu
Posted by Daniel P. Berrangé 5 years, 11 months ago 
On Fri, May 18, 2018 at 12:42:07PM +0100, Daniel P. Berrangé wrote:
> On Fri, May 18, 2018 at 07:37:33PM +0800, zhenwei pi wrote:
> > start qemu fail : qemu-system-x86_64: -sandbox on,obsolete=deny,
> >     elevateprivileges=deny,spawn=deny,resourcecontrol=deny:
> >     seccomp support is disabled
> > libvirt version : 4.3
> > qemu version : 2.12
> > reproducer : recompile qemu with ./configure --disable-seccomp, or
> >     remove libseccomp package.
> > 
> > with default seccompSandbox -1, libvirt try to get config from qemu
> > cmdline. if qemu disables seccomp (or misses seccomp package), qemu
> > still reports sandbox help message. libvirt mistakens about qemu real
> > capability.
> > 
> > set default seccompSandbox as 0 in code, and still get user conf
> > from qemu.conf. if user wants to enable seccomp, he should check
> > qemu firstly, then use the right qemu.conf.
> 
> This means that everyone who has a sensibly built QEMU will not have
> seccomp enabled out of the box.
> 
> IMHO it someone has chosen to turn off seccomp when building QEMU
> they can just set this qemu.conf parameter to zero themselves.

Also there's patches to QEMU that will make it possible for libvirt to
detect if QEMU has been compiled without seccomp in future:


  https://lists.gnu.org/archive/html/qemu-devel/2018-05/msg03311.html

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.