From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Yi Min Zhao <zyimin@linux.ibm.com>
Subject: [Qemu-devel] [PULL 01/53] sandbox: disable -sandbox if CONFIG_SECCOMP undefined
Date: Thu, 31 May 2018 19:12:01 +0200 [thread overview]
Message-ID: <20180531171253.21012-2-pbonzini@redhat.com> (raw)
In-Reply-To: <20180531171253.21012-1-pbonzini@redhat.com>
From: Yi Min Zhao <zyimin@linux.ibm.com>
If CONFIG_SECCOMP is undefined, the option 'elevateprivileges' remains
compiled. This would make libvirt set the corresponding capability and
then trigger failure during guest startup. This patch moves the code
regarding seccomp command line options to qemu-seccomp.c file and
wraps qemu_opts_foreach finding sandbox option with CONFIG_SECCOMP.
Because parse_sandbox() is moved into qemu-seccomp.c file, change
seccomp_start() to static function.
Signed-off-by: Yi Min Zhao <zyimin@linux.ibm.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Tested-by: Ján Tomko <jtomko@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
Message-Id: <20180531032937.1925-1-zyimin@linux.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
include/sysemu/seccomp.h | 3 +-
qemu-seccomp.c | 121 +++++++++++++++++++++++++++++++++++++-
vl.c | 124 +++------------------------------------
3 files changed, 130 insertions(+), 118 deletions(-)
diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
index 9b092aa23f..fe859894f6 100644
--- a/include/sysemu/seccomp.h
+++ b/include/sysemu/seccomp.h
@@ -21,5 +21,6 @@
#define QEMU_SECCOMP_SET_SPAWN (1 << 3)
#define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4)
-int seccomp_start(uint32_t seccomp_opts);
+int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp);
+
#endif
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index b770a77d33..148e4c6f24 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -13,6 +13,11 @@
* GNU GPL, version 2 or (at your option) any later version.
*/
#include "qemu/osdep.h"
+#include "qemu/config-file.h"
+#include "qemu/option.h"
+#include "qemu/module.h"
+#include "qemu/error-report.h"
+#include <sys/prctl.h>
#include <seccomp.h>
#include "sysemu/seccomp.h"
@@ -96,7 +101,7 @@ static const struct QemuSeccompSyscall blacklist[] = {
};
-int seccomp_start(uint32_t seccomp_opts)
+static int seccomp_start(uint32_t seccomp_opts)
{
int rc = 0;
unsigned int i = 0;
@@ -125,3 +130,117 @@ int seccomp_start(uint32_t seccomp_opts)
seccomp_release(ctx);
return rc;
}
+
+#ifdef CONFIG_SECCOMP
+int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
+{
+ if (qemu_opt_get_bool(opts, "enable", false)) {
+ uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT
+ | QEMU_SECCOMP_SET_OBSOLETE;
+ const char *value = NULL;
+
+ value = qemu_opt_get(opts, "obsolete");
+ if (value) {
+ if (g_str_equal(value, "allow")) {
+ seccomp_opts &= ~QEMU_SECCOMP_SET_OBSOLETE;
+ } else if (g_str_equal(value, "deny")) {
+ /* this is the default option, this if is here
+ * to provide a little bit of consistency for
+ * the command line */
+ } else {
+ error_report("invalid argument for obsolete");
+ return -1;
+ }
+ }
+
+ value = qemu_opt_get(opts, "elevateprivileges");
+ if (value) {
+ if (g_str_equal(value, "deny")) {
+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
+ } else if (g_str_equal(value, "children")) {
+ seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
+
+ /* calling prctl directly because we're
+ * not sure if host has CAP_SYS_ADMIN set*/
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {
+ error_report("failed to set no_new_privs "
+ "aborting");
+ return -1;
+ }
+ } else if (g_str_equal(value, "allow")) {
+ /* default value */
+ } else {
+ error_report("invalid argument for elevateprivileges");
+ return -1;
+ }
+ }
+
+ value = qemu_opt_get(opts, "spawn");
+ if (value) {
+ if (g_str_equal(value, "deny")) {
+ seccomp_opts |= QEMU_SECCOMP_SET_SPAWN;
+ } else if (g_str_equal(value, "allow")) {
+ /* default value */
+ } else {
+ error_report("invalid argument for spawn");
+ return -1;
+ }
+ }
+
+ value = qemu_opt_get(opts, "resourcecontrol");
+ if (value) {
+ if (g_str_equal(value, "deny")) {
+ seccomp_opts |= QEMU_SECCOMP_SET_RESOURCECTL;
+ } else if (g_str_equal(value, "allow")) {
+ /* default value */
+ } else {
+ error_report("invalid argument for resourcecontrol");
+ return -1;
+ }
+ }
+
+ if (seccomp_start(seccomp_opts) < 0) {
+ error_report("failed to install seccomp syscall filter "
+ "in the kernel");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+static QemuOptsList qemu_sandbox_opts = {
+ .name = "sandbox",
+ .implied_opt_name = "enable",
+ .head = QTAILQ_HEAD_INITIALIZER(qemu_sandbox_opts.head),
+ .desc = {
+ {
+ .name = "enable",
+ .type = QEMU_OPT_BOOL,
+ },
+ {
+ .name = "obsolete",
+ .type = QEMU_OPT_STRING,
+ },
+ {
+ .name = "elevateprivileges",
+ .type = QEMU_OPT_STRING,
+ },
+ {
+ .name = "spawn",
+ .type = QEMU_OPT_STRING,
+ },
+ {
+ .name = "resourcecontrol",
+ .type = QEMU_OPT_STRING,
+ },
+ { /* end of list */ }
+ },
+};
+
+static void seccomp_register(void)
+{
+ qemu_add_opts(&qemu_sandbox_opts);
+}
+opts_init(seccomp_register);
+#endif
diff --git a/vl.c b/vl.c
index 038d7f8042..4a0e17833d 100644
--- a/vl.c
+++ b/vl.c
@@ -28,11 +28,7 @@
#include "qemu/cutils.h"
#include "qemu/help_option.h"
#include "qemu/uuid.h"
-
-#ifdef CONFIG_SECCOMP
-#include <sys/prctl.h>
#include "sysemu/seccomp.h"
-#endif
#ifdef CONFIG_SDL
#if defined(__APPLE__) || defined(main)
@@ -259,35 +255,6 @@ static QemuOptsList qemu_rtc_opts = {
},
};
-static QemuOptsList qemu_sandbox_opts = {
- .name = "sandbox",
- .implied_opt_name = "enable",
- .head = QTAILQ_HEAD_INITIALIZER(qemu_sandbox_opts.head),
- .desc = {
- {
- .name = "enable",
- .type = QEMU_OPT_BOOL,
- },
- {
- .name = "obsolete",
- .type = QEMU_OPT_STRING,
- },
- {
- .name = "elevateprivileges",
- .type = QEMU_OPT_STRING,
- },
- {
- .name = "spawn",
- .type = QEMU_OPT_STRING,
- },
- {
- .name = "resourcecontrol",
- .type = QEMU_OPT_STRING,
- },
- { /* end of list */ }
- },
-};
-
static QemuOptsList qemu_option_rom_opts = {
.name = "option-rom",
.implied_opt_name = "romfile",
@@ -1043,88 +1010,6 @@ static int bt_parse(const char *opt)
return 1;
}
-static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
-{
- if (qemu_opt_get_bool(opts, "enable", false)) {
-#ifdef CONFIG_SECCOMP
- uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT
- | QEMU_SECCOMP_SET_OBSOLETE;
- const char *value = NULL;
-
- value = qemu_opt_get(opts, "obsolete");
- if (value) {
- if (g_str_equal(value, "allow")) {
- seccomp_opts &= ~QEMU_SECCOMP_SET_OBSOLETE;
- } else if (g_str_equal(value, "deny")) {
- /* this is the default option, this if is here
- * to provide a little bit of consistency for
- * the command line */
- } else {
- error_report("invalid argument for obsolete");
- return -1;
- }
- }
-
- value = qemu_opt_get(opts, "elevateprivileges");
- if (value) {
- if (g_str_equal(value, "deny")) {
- seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
- } else if (g_str_equal(value, "children")) {
- seccomp_opts |= QEMU_SECCOMP_SET_PRIVILEGED;
-
- /* calling prctl directly because we're
- * not sure if host has CAP_SYS_ADMIN set*/
- if (prctl(PR_SET_NO_NEW_PRIVS, 1)) {
- error_report("failed to set no_new_privs "
- "aborting");
- return -1;
- }
- } else if (g_str_equal(value, "allow")) {
- /* default value */
- } else {
- error_report("invalid argument for elevateprivileges");
- return -1;
- }
- }
-
- value = qemu_opt_get(opts, "spawn");
- if (value) {
- if (g_str_equal(value, "deny")) {
- seccomp_opts |= QEMU_SECCOMP_SET_SPAWN;
- } else if (g_str_equal(value, "allow")) {
- /* default value */
- } else {
- error_report("invalid argument for spawn");
- return -1;
- }
- }
-
- value = qemu_opt_get(opts, "resourcecontrol");
- if (value) {
- if (g_str_equal(value, "deny")) {
- seccomp_opts |= QEMU_SECCOMP_SET_RESOURCECTL;
- } else if (g_str_equal(value, "allow")) {
- /* default value */
- } else {
- error_report("invalid argument for resourcecontrol");
- return -1;
- }
- }
-
- if (seccomp_start(seccomp_opts) < 0) {
- error_report("failed to install seccomp syscall filter "
- "in the kernel");
- return -1;
- }
-#else
- error_report("seccomp support is disabled");
- return -1;
-#endif
- }
-
- return 0;
-}
-
static int parse_name(void *opaque, QemuOpts *opts, Error **errp)
{
const char *proc_name;
@@ -3059,7 +2944,6 @@ int main(int argc, char **argv, char **envp)
qemu_add_opts(&qemu_mem_opts);
qemu_add_opts(&qemu_smp_opts);
qemu_add_opts(&qemu_boot_opts);
- qemu_add_opts(&qemu_sandbox_opts);
qemu_add_opts(&qemu_add_fd_opts);
qemu_add_opts(&qemu_object_opts);
qemu_add_opts(&qemu_tpmdev_opts);
@@ -3957,11 +3841,17 @@ int main(int argc, char **argv, char **envp)
qtest_log = optarg;
break;
case QEMU_OPTION_sandbox:
+#ifdef CONFIG_SECCOMP
opts = qemu_opts_parse_noisily(qemu_find_opts("sandbox"),
optarg, true);
if (!opts) {
exit(1);
}
+#else
+ error_report("-sandbox support is not enabled "
+ "in this QEMU binary");
+ exit(1);
+#endif
break;
case QEMU_OPTION_add_fd:
#ifndef _WIN32
@@ -4048,10 +3938,12 @@ int main(int argc, char **argv, char **envp)
exit(1);
}
+#ifdef CONFIG_SECCOMP
if (qemu_opts_foreach(qemu_find_opts("sandbox"),
parse_sandbox, NULL, NULL)) {
exit(1);
}
+#endif
if (qemu_opts_foreach(qemu_find_opts("name"),
parse_name, NULL, NULL)) {
--
2.17.0
next prev parent reply other threads:[~2018-05-31 17:13 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-31 17:12 [Qemu-devel] [PULL 00/53] Misc patches for 2018-05-31 Paolo Bonzini
2018-05-31 17:12 ` Paolo Bonzini [this message]
2018-05-31 17:12 ` [Qemu-devel] [PULL 02/53] vfio: Include "exec/address-spaces.h" directly in the source file Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 03/53] accel: Do not include "exec/address-spaces.h" if it is not necessary Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 04/53] target: " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 05/53] memory: Do not include "exec/ioport.h" " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 06/53] target/i386: " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 07/53] target/xtensa: Include "qemu/timer.h" to use NANOSECONDS_PER_SECOND Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 08/53] target/ppc: Include "exec/exec-all.h" which provides tlb_flush() Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 09/53] target/hppa: Include "qemu/log.h" to use qemu_log() Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 10/53] target: Do not include "exec/exec-all.h" if it is not necessary Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 11/53] nios2: do not include exec-all.h from cpu.h Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 12/53] hw: Do not include "exec/ioport.h" if it is not necessary Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 13/53] hw: Do not include "exec/address-spaces.h" " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 14/53] hw: Do not include "sysemu/block-backend.h" " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 15/53] hw: Do not include "sysemu/blockdev.h" " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 16/53] " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 17/53] hw/block/nvme: Include "qemu/cutils.h" directly in the source file Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 18/53] hw/misc/mips_itu: Cleanup includes Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 19/53] hw/misc/sga: Use the correct ISA include Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 20/53] hw/hppa: Remove unused include Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 21/53] hw/i386/pc: " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 22/53] hw/ide: " Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 23/53] hw: Clean "hw/devices.h" includes Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 24/53] qom: Document qom/device-list-properties implementation specific Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 25/53] qom: support orphan objects in object_get_canonical_path Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 26/53] virtio: free MemoryRegionCache when initialization fails Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 27/53] memory.h: Fix typo in documentation comment Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 28/53] memory: get rid of memory_region_init_reservation Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 29/53] memory: delete struct AddressSpaceOps Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 30/53] hw/isa/superio: Fix inconsistent use of Chardev->be Paolo Bonzini
2018-05-31 18:08 ` Philippe Mathieu-Daudé
2018-05-31 17:12 ` [Qemu-devel] [PULL 31/53] mux: fix ctrl-a b again Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 32/53] memfd: Avoid Coverity warning about integer overflow Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 33/53] exec.c: Initialize sa_flags passed to sigaction() Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 34/53] WHPX: dynamically load WHP libraries Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 35/53] WHPX: fix some compiler warnings Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 36/53] qemu-options: Mark the non-functional -clock option as deprecated Paolo Bonzini
2018-05-31 17:12 ` [Qemu-devel] [PULL 37/53] tcg: remove softfloat from --disable-tcg builds Paolo Bonzini
2018-05-31 17:15 ` [Qemu-devel] [PULL 39/53] ipmi: Use proper struct reference for KCS vmstate Paolo Bonzini
2018-05-31 17:15 ` [Qemu-devel] [PULL 40/53] docs/interop: add "firmware.json" Paolo Bonzini
2018-05-31 19:07 ` Eric Blake
2018-05-31 17:15 ` [Qemu-devel] [PULL 41/53] gdbstub: Prevent fd leakage Paolo Bonzini
2018-05-31 17:15 ` [Qemu-devel] [PULL 42/53] virtio-gpu-3d: Define VIRTIO_GPU_CAPSET_VIRGL2 elsewhere Paolo Bonzini
2018-05-31 17:15 ` [Qemu-devel] [PULL 43/53] scripts/update-linux-headers: Handle __aligned_u64 Paolo Bonzini
2018-05-31 17:15 ` [Qemu-devel] [PULL 44/53] scripts/update-linux-headers: Handle kernel license no longer being one file Paolo Bonzini
2018-05-31 17:15 ` [Qemu-devel] [PULL 45/53] target/i386/kvm.c: Handle renaming of KVM_HINTS_DEDICATED Paolo Bonzini
2018-05-31 17:15 ` [Qemu-devel] [PULL 46/53] Update Linux headers to 4.17-rc6 Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 47/53] target/i386/kvm.c: Remove compatibility shim for KVM_HINTS_REALTIME Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 48/53] hw/i2c/smbus: Use DeviceClass::realize instead of SMBusDeviceClass::init Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 49/53] hw/i2c: Use DeviceClass::realize instead of I2CSlaveClass::init Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 50/53] qdev: Simplify the SysBusDeviceClass::init path Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 51/53] qdev: Remove DeviceClass::init() and ::exit() Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 52/53] char: Remove unwanted crlf conversion Paolo Bonzini
2018-06-08 17:39 ` Greg Kurz
2018-06-08 17:56 ` Philippe Mathieu-Daudé
2018-06-09 7:31 ` Greg Kurz
2018-06-08 18:08 ` Patryk Olszewski
2018-05-31 17:16 ` [Qemu-devel] [PULL 53/53] memory: Make operations using MemoryRegionIoeventfd struct pass by pointer Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 37/53] tcg: remove softfloat from --disable-tcg builds Paolo Bonzini
2018-05-31 17:16 ` [Qemu-devel] [PULL 38/53] vmstate: Add a VSTRUCT type Paolo Bonzini
2018-05-31 17:52 ` [Qemu-devel] [PULL 00/53] Misc patches for 2018-05-31 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180531171253.21012-2-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=zyimin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.