[v1] seccomp branch queue

[Qemu-devel] [PULL 0/3] seccomp branch queue

Posted by Eduardo Otubo 5 years, 8 months ago

The following changes since commit 13b7b188501d419a7d63c016e00065bcc693b7d4:

  Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180821-pull-request' into staging (2018-08-21 15:57:56 +0100)

are available in the Git repository at:

  https://github.com/otubo/qemu.git tags/pull-seccomp-20180822

for you to fetch changes up to 2131f3e6e98195b4ce43a87c78cd9d8cb9f4da2c:

  seccomp: set the seccomp filter to all threads (2018-08-22 17:35:34 +0200)

----------------------------------------------------------------
pull-seccomp-20180822

----------------------------------------------------------------
Marc-André Lureau (3):
      seccomp: use SIGSYS signal instead of killing the thread
      seccomp: prefer SCMP_ACT_KILL_PROCESS if available
      seccomp: set the seccomp filter to all threads

 qemu-options.hx |  2 ++
 qemu-seccomp.c  | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 95 insertions(+), 3 deletions(-)

-- 
2.17.1

Re: [Qemu-devel] [PULL 0/3] seccomp branch queue

Posted by Eric Blake 5 years, 8 months ago

On 08/22/2018 10:40 AM, Eduardo Otubo wrote:
> The following changes since commit 13b7b188501d419a7d63c016e00065bcc693b7d4:
> 
>    Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180821-pull-request' into staging (2018-08-21 15:57:56 +0100)
> 
> are available in the Git repository at:
> 
>    https://github.com/otubo/qemu.git tags/pull-seccomp-20180822
> 
> for you to fetch changes up to 2131f3e6e98195b4ce43a87c78cd9d8cb9f4da2c:
> 
>    seccomp: set the seccomp filter to all threads (2018-08-22 17:35:34 +0200)
> 
> ----------------------------------------------------------------
> pull-seccomp-20180822
> 
> ----------------------------------------------------------------
> Marc-André Lureau (3):
>        seccomp: use SIGSYS signal instead of killing the thread
>        seccomp: prefer SCMP_ACT_KILL_PROCESS if available
>        seccomp: set the seccomp filter to all threads

Let's hold off on this pull request until the technical debate on 3/3 
has settled (namely, there's no point in letting the process continue if 
tsync fails on older OS, because it is NOT providing the security that 
it claims).

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PULL 0/3] seccomp branch queue

Posted by Daniel P. Berrangé 5 years, 8 months ago

Please don't merge this PULL request - the behaviour of the 3rd patch
is still being debated.

On Wed, Aug 22, 2018 at 05:40:27PM +0200, Eduardo Otubo wrote:
> The following changes since commit 13b7b188501d419a7d63c016e00065bcc693b7d4:
> 
>   Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180821-pull-request' into staging (2018-08-21 15:57:56 +0100)
> 
> are available in the Git repository at:
> 
>   https://github.com/otubo/qemu.git tags/pull-seccomp-20180822
> 
> for you to fetch changes up to 2131f3e6e98195b4ce43a87c78cd9d8cb9f4da2c:
> 
>   seccomp: set the seccomp filter to all threads (2018-08-22 17:35:34 +0200)
> 
> ----------------------------------------------------------------
> pull-seccomp-20180822
> 
> ----------------------------------------------------------------
> Marc-André Lureau (3):
>       seccomp: use SIGSYS signal instead of killing the thread
>       seccomp: prefer SCMP_ACT_KILL_PROCESS if available
>       seccomp: set the seccomp filter to all threads
> 
>  qemu-options.hx |  2 ++
>  qemu-seccomp.c  | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 95 insertions(+), 3 deletions(-)
> 
> -- 
> 2.17.1
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|