qemu: simplify seccomp sandbox

[libvirt PATCH 1/5] qemu: always assume QEMU_CAPS_SECCOMP_BLACKLIST

Posted by Ján Tomko 4 years, 4 months ago

elevateprivileges was introduced by QEMU commit:
73a1e64725 "seccomp: add elevateprivileges argument to command line"
released in 2.11.0
and later made conditional on SECCOMP support by:
9d0fdecbad sandbox: disable -sandbox if CONFIG_SECCOMP undefined

Use the existence of the sandbox option as a witness for its support.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
---
 src/qemu/qemu_command.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index b60ee1192b..fa9998a191 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -10120,7 +10120,7 @@ qemuBuildSeccompSandboxCommandLine(virCommand *cmd,
     }
 
     /* Use blacklist by default if supported */
-    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX)) {
         virCommandAddArgList(cmd, "-sandbox",
                              "on,obsolete=deny,elevateprivileges=deny,"
                              "spawn=deny,resourcecontrol=deny",
-- 
2.31.1

[libvirt PATCH 1/5] qemu: always assume QEMU_CAPS_SECCOMP_BLACKLIST
[libvirt PATCH 2/5] qemu: conf: simplify seccomp_sandbox comment
[libvirt PATCH 3/5] qemu: seccomp: remove dead code
[libvirt PATCH 4/5] qemu: capabilities: deprecate QEMU_CAPS_SECCOMP_BLACKLIST
[libvirt PATCH 5/5] qemu: capabilities: do not look at parameters for sandbox