Re: [PATCHv1 2/4] qemu: conf: add sandbox option

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Tue, 11 Sep 2012 14:11:39 +0100

On Tue, Sep 11, 2012 at 02:58:19PM +0200, Ján Tomko wrote:
> ---
>  src/qemu/qemu.conf   |    8 ++++++++
>  src/qemu/qemu_conf.c |    5 +++++
>  src/qemu/qemu_conf.h |    1 +

Also need to update src/qemu/libvirtd_qemu.aug for this - I
am suprised 'make check' passed without doing this.

>  3 files changed, 14 insertions(+), 0 deletions(-)
> 
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 6cd0d80..a2a0824 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -378,3 +378,11 @@
>  #
>  #keepalive_interval = 5
>  #keepalive_count = 5
> +
> +
> +
> +# Use seccomp syscall whitelisting in QEMU.
> +# 1 = on, 0 = off, -1 = use QEMU default
> +# Defaults to -1.
> +#
> +#sandbox = 1

Can we call this 'seccomp_sandbox', since 'sandbox' on its
own is quite an overloaded term. eg we might yuse kernel
namespaces in the future to sandbox things.

> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index e9e15c5..f4a6077 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -129,6 +129,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
>  
>      driver->keepAliveInterval = 5;
>      driver->keepAliveCount = 5;
> +    driver->sandbox = -1;
>  
>      /* Just check the file is readable before opening it, otherwise
>       * libvirt emits an error.
> @@ -570,6 +571,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
>      CHECK_TYPE("keepalive_count", VIR_CONF_LONG);
>      if (p) driver->keepAliveCount = p->l;
>  
> +    p = virConfGetValue(conf, "sandbox");
> +    CHECK_TYPE("sandbox", VIR_CONF_LONG);
> +    if (p) driver->sandbox = p->l;
> +
>      virConfFree (conf);
>      return 0;
>  }
> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
> index ac285f6..34b952f 100644
> --- a/src/qemu/qemu_conf.h
> +++ b/src/qemu/qemu_conf.h
> @@ -152,6 +152,7 @@ struct qemud_driver {
>  
>      int keepAliveInterval;
>      unsigned int keepAliveCount;
> +    int sandbox;

s/int/bool/

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list