QEMU commit 1bd6152 changed the default behavior from whitelist
to blacklist and introduced a few sets of system calls.
Use the 'elevateprivileges' parameter of -sandbox as a witness
of this change.
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
7 files changed, 8 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 35905e993..729e29e20 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -468,6 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
"virtio-tablet-ccw",
"qcow2-luks",
"pcie-pci-bridge",
+ "seccomp-blacklist",
);
@@ -3214,6 +3215,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] =
{
{ "machine", "loadparm", QEMU_CAPS_LOADPARM },
{ "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
{ "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
+ { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
};
static int
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index bec28cae9..d88102f34 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -452,6 +452,7 @@ typedef enum {
QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */
QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
+ QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
index cbd645ae9..3861666e5 100644
--- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
@@ -151,6 +151,7 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
+ <flag name='seccomp-blacklist'/>
<version>2011000</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>342058</microcodeVersion>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
index 66629ff5b..39238a9b6 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
@@ -189,6 +189,7 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
+ <flag name='seccomp-blacklist'/>
<version>2011090</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>342346</microcodeVersion>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
index 1122d6408..6bf293b9d 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
@@ -186,6 +186,7 @@
<flag name='machine.pseries.max-cpu-compat'/>
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
+ <flag name='seccomp-blacklist'/>
<version>2011090</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>419215</microcodeVersion>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
index 191b1e0e3..b77aec9c9 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
@@ -151,6 +151,7 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
+ <flag name='seccomp-blacklist'/>
<version>2011090</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>0</microcodeVersion>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
index 4ed2e1ea9..1bb825c9b 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
@@ -227,6 +227,7 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
+ <flag name='seccomp-blacklist'/>
<version>2011090</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>390060</microcodeVersion>
--
2.16.1