On 07/05/2018 - 11:29:57, Christian Borntraeger wrote: > On 05/07/2018 05:32 AM, Yi Min Zhao wrote: > > 1. Problem Description > > ====================== > > If QEMU is built without seccomp support, 'elevatorprivileges' remains compiled. > > This option of sandbox is treated as an indication for seccomp blacklist support > > in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and > > 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest > > startup would fail. > > Adding libvirt list. > > This would still fail with older QEMUs, so the question is if we should also OR instead > change something in libvirt. Perhaps I'm missing something here, but libvirt can differentiate between different versions of QEMU, therefore not calling it with wrong or outdated arguments. > > > > > 2. Libvirt Log > > ============== > > qemu-system-s390x: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\ > > resourcecontrol=deny: seccomp support is disabled > > > > 3. Fixup > > ======== > > Wrap the options except 'enable' for qemu_sandbox_opts by CONFIG_SECCOMP. > > > > Yi Min Zhao (1): > > sandbox: avoid to compile options if CONFIG_SECCOMP undefined > > > > vl.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > -- Eduardo Otubo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
