[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCHv2 0/4] qemu: enable sandbox whitelist by default



v1: https://www.redhat.com/archives/libvir-list/2018-March/msg01965.html
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
v2:
* also deny resource control
* split out and refactor the command line building
* be explicit about denying the obsolete syscalls

Ján Tomko (4):
  Introduce QEMU_CAPS_SECCOMP_BLACKLIST
  Introduce qemuBuildSeccompSandboxCommandLine
  Refactor qemuBuildSeccompSandboxCommandLine
  qemu: deny privilege elevation and spawn in seccomp

 src/qemu/qemu.conf                                 |  7 ++--
 src/qemu/qemu_capabilities.c                       |  2 +
 src/qemu/qemu_capabilities.h                       |  1 +
 src/qemu/qemu_command.c                            | 46 +++++++++++++++++-----
 tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml   |  1 +
 tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml  |  1 +
 tests/qemuxml2argvdata/minimal-sandbox.args        | 29 ++++++++++++++
 tests/qemuxml2argvdata/minimal-sandbox.xml         | 34 ++++++++++++++++
 tests/qemuxml2argvtest.c                           | 11 ++++++
 12 files changed, 123 insertions(+), 12 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args
 create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml

-- 
2.16.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]