Re: [libvirt] [PATCH v0] qemu: Add sandbox support.

QEMU (since 1.2-rc0) supports setting up a syscall whitelist through libseccomp on linux kernel from 3.5-rc1. This is enabled by specifying -sandbox on on qemu command line. This patch detects this capability by searching for -sandbox in qemu help output and runs qemu with -sandbox on if sandbox is set to non-zero in qemu.conf. --- Should this option be in qemu.conf, or would it be better to set it per-domain in the XML? --- src/qemu/qemu.conf | 6 ++++++ src/qemu/qemu_capabilities.c | 3 +++ src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 3 +++ src/qemu/qemu_conf.c | 5 +++++ src/qemu/qemu_conf.h | 1 + 6 files changed, 19 insertions(+), 0 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index d3175fa..47e510e 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -375,3 +375,9 @@ # #keepalive_interval = 5 #keepalive_count = 5 + + + +# Enable this to use seccomp syscall whitelisting in QEMU. +# +#sandbox = 1 diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 2ba7956..b0728e8 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -176,6 +176,7 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST, "disable-s3", "disable-s4", /* 105 */ + "sandbox" ); struct qemu_feature_flags { @@ -1139,6 +1140,8 @@ qemuCapsComputeCmdFlags(const char *help, } if (strstr(help, "-smbios type")) qemuCapsSet(flags, QEMU_CAPS_SMBIOS_TYPE); + if (strstr(help, "-sandbox")) + qemuCapsSet(flags, QEMU_CAPS_SANDBOX); if ((netdev = strstr(help, "-netdev"))) { /* Disable -netdev on 0.12 since although it exists, diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index a7b3a06..0066901 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -141,6 +141,7 @@ enum qemuCapsFlags { QEMU_CAPS_IOLIMITS = 103, /* -device ...logical_block_size & co */ QEMU_CAPS_DISABLE_S3 = 104, /* S3 BIOS Advertisement on/off */ QEMU_CAPS_DISABLE_S4 = 105, /* S4 BIOS Advertisement on/off */ + QEMU_CAPS_SANDBOX = 106, /* -sandbox */ QEMU_CAPS_LAST, /* this must always be the last item */ }; diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index e739f34..737d4d9 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -6462,6 +6462,9 @@ qemuBuildCommandLine(virConnectPtr conn, ? qemucmd->env_value[i] : ""); } + if (driver->sandbox && qemuCapsGet(qemuCaps, QEMU_CAPS_SANDBOX)) + virCommandAddArgList(cmd, "-sandbox", "on", NULL); + return cmd; no_memory: diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index e9e15c5..a367fcd 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -129,6 +129,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, driver->keepAliveInterval = 5; driver->keepAliveCount = 5; + driver->sandbox = false; /* Just check the file is readable before opening it, otherwise * libvirt emits an error. @@ -570,6 +571,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, CHECK_TYPE("keepalive_count", VIR_CONF_LONG); if (p) driver->keepAliveCount = p->l; + p = virConfGetValue(conf, "sandbox"); + CHECK_TYPE("sandbox", VIR_CONF_LONG); + if (p) driver->sandbox = p->l; + virConfFree (conf); return 0; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index ac285f6..f1b6465 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -152,6 +152,7 @@ struct qemud_driver { int keepAliveInterval; unsigned int keepAliveCount; + bool sandbox; }; typedef struct _qemuDomainCmdlineDef qemuDomainCmdlineDef;