1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCHv2 0/4] qemu: enable sandbox whitelist by default

Ján Tomko posted 4 patches 6 years ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cover.1523371626.git.jtomko@redhat.com
Test syntax-check passed
src/qemu/qemu.conf                                 |  7 ++--
src/qemu/qemu_capabilities.c                       |  2 +
src/qemu/qemu_capabilities.h                       |  1 +
src/qemu/qemu_command.c                            | 46 +++++++++++++++++-----
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |  1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |  1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |  1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |  1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |  1 +
tests/qemuxml2argvdata/minimal-sandbox.args        | 29 ++++++++++++++
tests/qemuxml2argvdata/minimal-sandbox.xml         | 34 ++++++++++++++++
tests/qemuxml2argvtest.c                           | 11 ++++++
12 files changed, 123 insertions(+), 12 deletions(-)
create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml
[libvirt] [PATCHv2 0/4] qemu: enable sandbox whitelist by default
Posted by Ján Tomko 6 years ago 
v1: https://www.redhat.com/archives/libvir-list/2018-March/msg01965.html
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
v2:
* also deny resource control
* split out and refactor the command line building
* be explicit about denying the obsolete syscalls

Ján Tomko (4):
  Introduce QEMU_CAPS_SECCOMP_BLACKLIST
  Introduce qemuBuildSeccompSandboxCommandLine
  Refactor qemuBuildSeccompSandboxCommandLine
  qemu: deny privilege elevation and spawn in seccomp

 src/qemu/qemu.conf                                 |  7 ++--
 src/qemu/qemu_capabilities.c                       |  2 +
 src/qemu/qemu_capabilities.h                       |  1 +
 src/qemu/qemu_command.c                            | 46 +++++++++++++++++-----
 tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |  1 +
 tests/qemuxml2argvdata/minimal-sandbox.args        | 29 ++++++++++++++
 tests/qemuxml2argvdata/minimal-sandbox.xml         | 34 ++++++++++++++++
 tests/qemuxml2argvtest.c                           | 11 ++++++
 12 files changed, 123 insertions(+), 12 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml

-- 
2.16.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCHv2 0/4] qemu: enable sandbox whitelist by default
Posted by Ján Tomko 6 years ago 
On Tue, Apr 10, 2018 at 04:49:38PM +0200, Ján Tomko wrote:
>v1: https://www.redhat.com/archives/libvir-list/2018-March/msg01965.html
>https://bugzilla.redhat.com/show_bug.cgi?id=1492597
>v2:
>* also deny resource control
>* split out and refactor the command line building
>* be explicit about denying the obsolete syscalls
>
>Ján Tomko (4):
>  Introduce QEMU_CAPS_SECCOMP_BLACKLIST
>  Introduce qemuBuildSeccompSandboxCommandLine
>  Refactor qemuBuildSeccompSandboxCommandLine
>  qemu: deny privilege elevation and spawn in seccomp
>

Thank you for the reviews, I have rebased the patches to get rid of the
old SECCOMP_SANDBOX capability and pushed the series.

Jano
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.