From: Eduardo Otubo <otubo@redhat.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Yi Min Zhao <zyimin@linux.ibm.com>,
qemu-devel@nongnu.org, jtomko@redhat.com, jferlan@redhat.com,
berrange@redhat.com, fiuczy@linux.ibm.com,
libvir-list@redhat.com
Subject: Re: [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest
Date: Mon, 7 May 2018 12:33:20 +0200 [thread overview]
Message-ID: <20180507103320.GE17261@vader> (raw)
In-Reply-To: <df015c61-0dde-da33-86eb-31abbd6ec805@de.ibm.com>
On 07/05/2018 - 11:29:57, Christian Borntraeger wrote:
> On 05/07/2018 05:32 AM, Yi Min Zhao wrote:
> > 1. Problem Description
> > ======================
> > If QEMU is built without seccomp support, 'elevatorprivileges' remains compiled.
> > This option of sandbox is treated as an indication for seccomp blacklist support
> > in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and
> > 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest
> > startup would fail.
>
> Adding libvirt list.
>
> This would still fail with older QEMUs, so the question is if we should also OR instead
> change something in libvirt.
Perhaps I'm missing something here, but libvirt can differentiate between
different versions of QEMU, therefore not calling it with wrong or outdated
arguments.
>
> >
> > 2. Libvirt Log
> > ==============
> > qemu-system-s390x: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> > resourcecontrol=deny: seccomp support is disabled
> >
> > 3. Fixup
> > ========
> > Wrap the options except 'enable' for qemu_sandbox_opts by CONFIG_SECCOMP.
> >
> > Yi Min Zhao (1):
> > sandbox: avoid to compile options if CONFIG_SECCOMP undefined
> >
> > vl.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
>
--
Eduardo Otubo
next prev parent reply other threads:[~2018-05-07 10:33 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-07 3:32 [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest Yi Min Zhao
2018-05-07 3:32 ` [Qemu-devel] [PATCH 1/1] sandbox: avoid to compile options if CONFIG_SECCOMP undefined Yi Min Zhao
2018-05-07 10:31 ` Eduardo Otubo
2018-05-07 13:27 ` Yi Min Zhao
2018-05-07 18:04 ` Eric Blake
2018-05-07 22:18 ` Yi Min Zhao
2018-05-08 10:37 ` Daniel P. Berrangé
2018-05-09 4:40 ` Yi Min Zhao
2018-05-09 12:48 ` Eric Blake
2018-05-09 14:23 ` Ján Tomko
2018-05-07 9:29 ` [Qemu-devel] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest Christian Borntraeger
2018-05-07 10:33 ` Eduardo Otubo [this message]
2018-05-07 12:02 ` [Qemu-devel] [libvirt] " Ján Tomko
2018-05-07 12:12 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180507103320.GE17261@vader \
--to=otubo@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=fiuczy@linux.ibm.com \
--cc=jferlan@redhat.com \
--cc=jtomko@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=zyimin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.