From nobody Tue Apr 30 09:50:38 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 152664859743250.569266583668195; Fri, 18 May 2018 06:03:17 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1C635BB9C5; Fri, 18 May 2018 13:03:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B076E9D0F4; Fri, 18 May 2018 13:03:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 30FDD1801243; Fri, 18 May 2018 13:03:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w4ID3AcV000851 for ; Fri, 18 May 2018 09:03:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id E14091C5B2; Fri, 18 May 2018 13:03:09 +0000 (UTC) Received: from icr.brq.redhat.com (unknown [10.43.2.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6812A83B97 for ; Fri, 18 May 2018 13:03:09 +0000 (UTC) From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: libvir-list@redhat.com Date: Fri, 18 May 2018 15:03:03 +0200 Message-Id: <3e9a9112c5b84b2b7c1fe505376c44c5a1958d7a.1526648461.git.jtomko@redhat.com> In-Reply-To: References: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/2] Reintroduce QEMU_CAPS_SECCOMP_SANDBOX X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 18 May 2018 13:03:16 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Commit 766d5c1b deprecated the capability, because we were assuming it for every QEMU binary. At the time of the introduction, there was no way to probe for this via QMP. However since QEMU 1.5.0 (which is the earliest version we support) we can rely on the query-command-line-options command to detect this feature. Signed-off-by: J=C3=A1n Tomko Reviewed-by: John Ferlan --- src/qemu/qemu_capabilities.c | 1 + src/qemu/qemu_capabilities.h | 2 +- tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + 27 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index bface72de2..fb9fb013b5 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -2496,6 +2496,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCaps= CommandLine[] =3D { { "machine", "loadparm", QEMU_CAPS_LOADPARM }, { "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS }, { "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT }, + { "sandbox", "enable", QEMU_CAPS_SECCOMP_SANDBOX }, { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST }, }; =20 diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index 6f9953478a..63beb6e66c 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -199,7 +199,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for = syntax-check */ QEMU_CAPS_USB_REDIR_FILTER, /* usb-redir.filter */ QEMU_CAPS_IDE_DRIVE_WWN, /* Is ide-drive.wwn available? */ QEMU_CAPS_SCSI_DISK_WWN, /* Is scsi-disk.wwn available? */ - X_QEMU_CAPS_SECCOMP_SANDBOX, /* -sandbox */ + QEMU_CAPS_SECCOMP_SANDBOX, /* -sandbox */ =20 /* 110 */ QEMU_CAPS_REBOOT_TIMEOUT, /* -boot reboot-timeout */ diff --git a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_1.5.3.x86_64.xml index e7c2e9a181..b89a5ac671 100644 --- a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_1.6.0.x86_64.xml index e57dec321d..1e76b57861 100644 --- a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_1.7.0.x86_64.xml index 39ec8f9b1d..af80238230 100644 --- a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.1.1.x86_64.xml index afe0882dde..6ea2f21b66 100644 --- a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml b/tests/qem= ucapabilitiesdata/caps_2.10.0.aarch64.xml index 5904306848..3e26e8afaf 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml @@ -35,6 +35,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml b/tests/qemuc= apabilitiesdata/caps_2.10.0.ppc64.xml index 2912c8d66b..63760f3d9d 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml @@ -34,6 +34,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml b/tests/qemuc= apabilitiesdata/caps_2.10.0.s390x.xml index 518788ac13..08e7b1d2b8 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml @@ -20,6 +20,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml b/tests/qemu= capabilitiesdata/caps_2.10.0.x86_64.xml index 77ca3013b5..a8c79ecb7e 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml b/tests/qemuc= apabilitiesdata/caps_2.11.0.s390x.xml index 9adca9d46b..4d1c808917 100644 --- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml @@ -20,6 +20,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml b/tests/qem= ucapabilitiesdata/caps_2.12.0.aarch64.xml index de41d96cd0..44c78cfac2 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml @@ -35,6 +35,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml b/tests/qemuc= apabilitiesdata/caps_2.12.0.ppc64.xml index fc26f934ee..4ade335b39 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml @@ -34,6 +34,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml b/tests/qemuc= apabilitiesdata/caps_2.12.0.s390x.xml index bdfb81c998..ebec23d872 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml @@ -20,6 +20,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml b/tests/qemu= capabilitiesdata/caps_2.12.0.x86_64.xml index 820b3ef759..06ed284488 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml @@ -44,6 +44,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.4.0.x86_64.xml index 871eb5e4a7..7b4126d109 100644 --- a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.5.0.x86_64.xml index 90dce5a700..c9e497f7e7 100644 --- a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml b/tests/qemu= capabilitiesdata/caps_2.6.0.aarch64.xml index 4298548948..188d87f1a0 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml @@ -37,6 +37,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml b/tests/qemuca= pabilitiesdata/caps_2.6.0.ppc64.xml index 07cdc49b03..9862b9fc6d 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml @@ -34,6 +34,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.6.0.x86_64.xml index 4c6371a6cd..cfb202bc8e 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml b/tests/qemuca= pabilitiesdata/caps_2.7.0.s390x.xml index f86fc5c0c0..49b3cb2dfa 100644 --- a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml @@ -20,6 +20,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.7.0.x86_64.xml index c322d18d7d..02eff02d45 100644 --- a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml b/tests/qemuca= pabilitiesdata/caps_2.8.0.s390x.xml index 84546b72b9..985a4114c5 100644 --- a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml @@ -20,6 +20,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.8.0.x86_64.xml index 7c329ad4c7..7b4f9beac1 100644 --- a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml @@ -46,6 +46,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml b/tests/qemuca= pabilitiesdata/caps_2.9.0.ppc64.xml index cfc9405095..c9aae0b1f0 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml @@ -34,6 +34,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemuca= pabilitiesdata/caps_2.9.0.s390x.xml index 96521efb8a..2bcda54bc6 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml @@ -20,6 +20,7 @@ + diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemuc= apabilitiesdata/caps_2.9.0.x86_64.xml index 0701c244f6..7556e40204 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml @@ -46,6 +46,7 @@ + --=20 2.16.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 09:50:38 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1526648596325218.09119702956866; Fri, 18 May 2018 06:03:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 74E15300174E; Fri, 18 May 2018 13:03:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 08D5D20155F9; Fri, 18 May 2018 13:03:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 857741801254; Fri, 18 May 2018 13:03:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w4ID3AUt000859 for ; Fri, 18 May 2018 09:03:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8443683B98; Fri, 18 May 2018 13:03:10 +0000 (UTC) Received: from icr.brq.redhat.com (unknown [10.43.2.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 28DA483B89 for ; Fri, 18 May 2018 13:03:10 +0000 (UTC) From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: libvir-list@redhat.com Date: Fri, 18 May 2018 15:03:04 +0200 Message-Id: <9af0bf59b27a747abb1ea7134dbec80e11b82cb3.1526648461.git.jtomko@redhat.com> In-Reply-To: References: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/2] qemu: only pass -sandbox off if supported X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Fri, 18 May 2018 13:03:15 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 This way we don't rely on QEMU supplying the -sandbox option without CONFIG_SECCOMP. Signed-off-by: J=C3=A1n Tomko Reviewed-by: John Ferlan --- src/qemu/qemu_command.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index f3724a766b..755e371caa 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -9849,7 +9849,8 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd, virQEMUCapsPtr qemuCaps ATTRIBUTE_UNUSE= D) { if (cfg->seccompSandbox =3D=3D 0) { - virCommandAddArgList(cmd, "-sandbox", "off", NULL); + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX)) + virCommandAddArgList(cmd, "-sandbox", "off", NULL); return 0; } =20 --=20 2.16.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list