On Thu, Aug 30, 2018 at 02:09:41PM +0200, marcandre.lureau@xxxxxxxxxx wrote:
From: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx> With qemu <= 3.0, when using "-seccomp on", the seccomp policy is only applied to the main thread, the vcpu worker thread and other worker threads created after seccomp policy is applied; the seccomp policy is not applied to e.g. the RCU thread because it is created before the seccomp policy is applied. Since qemu commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114 "seccomp: set the seccomp filter to all threads", qemu will require seccomp TSYNC flag, and will fail to start if the flag isn't available. Without it, sandboxing is flawed. Disable seccomp capability if the host is not capable of using seccomp TSYNC.
Is there a reason for qemu to advertise 'sandbox' in query-commandline-options if it's not usable? Copying the QEMU logic in libvirt does not seem sustainable. Jano
Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx> --- configure.ac | 2 +- src/qemu/qemu_capabilities.c | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-)
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list