On 07/05/2018 - 11:29:57, Christian Borntraeger wrote:
On 05/07/2018 05:32 AM, Yi Min Zhao wrote:
> 1. Problem Description
> ======================
> If QEMU is built without seccomp support, 'elevatorprivileges' remains
compiled.
> This option of sandbox is treated as an indication for seccomp blacklist support
> in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and
> 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest
> startup would fail.
Adding libvirt list.
This would still fail with older QEMUs, so the question is if we should also OR instead
change something in libvirt.
Perhaps I'm missing something here, but libvirt can differentiate between
different versions of QEMU, therefore not calling it with wrong or outdated
arguments.
>
> 2. Libvirt Log
> ==============
> qemu-system-s390x: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> resourcecontrol=deny: seccomp support is disabled
>
> 3. Fixup
> ========
> Wrap the options except 'enable' for qemu_sandbox_opts by CONFIG_SECCOMP.
>
> Yi Min Zhao (1):
> sandbox: avoid to compile options if CONFIG_SECCOMP undefined
>
> vl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
--
Eduardo Otubo