On a Friday in 2020, Daniel P. Berrangé wrote:
The concept we're really testing for is whether QEMU supports
the seccomp syscall filter groups. We need to keep one place
using the old term to deal with upgrades from existing hosts
with running VMs.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/qemu/qemu.conf | 2 +-
src/qemu/qemu_capabilities.c | 4 ++--
src/qemu/qemu_capabilities.h | 2 +-
src/qemu/qemu_command.c | 4 ++--
src/qemu/qemu_domain.c | 10 +++++++---
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 2 +-
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 2 +-
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 2 +-
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 2 +-
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 2 +-
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 2 +-
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 2 +-
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 2 +-
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 2 +-
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 2 +-
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 2 +-
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 2 +-
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 2 +-
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 2 +-
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 2 +-
tests/qemustatusxml2xmldata/backup-pull-in.xml | 2 +-
tests/qemustatusxml2xmldata/blockjob-blockdev-in.xml | 2 +-
tests/qemuxml2argvtest.c | 2 +-
37 files changed, 45 insertions(+), 41 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index f89dbd2c3a..99b9ce53e5 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -704,7 +704,7 @@
# If it is unset (or -1), then seccomp will be enabled
# only if QEMU >= 2.11.0 is detected, otherwise it is
# left disabled. This ensures the default config gets
-# protection for new QEMU using the blacklist approach.
+# protection for new QEMU with filter groups.
#
#seccomp_sandbox = 1
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 68fcbd3c4f..310be800e2 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -468,7 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
/* 285 */
"qcow2-luks",
"pcie-pci-bridge",
- "seccomp-blacklist",
+ "seccomp-filter-groups",
"query-cpus-fast",
"disk-write-cache",
@@ -3292,7 +3292,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] =
{
{ "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
{ "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
{ "sandbox", "enable", QEMU_CAPS_SECCOMP_SANDBOX },
- { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
+ { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_FILTER_GROUPS
},
{ "chardev", "fd", QEMU_CAPS_CHARDEV_FD_PASS },
{ "overcommit", NULL, QEMU_CAPS_OVERCOMMIT },
{ "smp-opts", "dies", QEMU_CAPS_SMP_DIES },
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index ad93816d41..0ee3e357cb 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -448,7 +448,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check
*/
/* 285 */
QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
- QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
+ QEMU_CAPS_SECCOMP_FILTER_GROUPS, /* -sandbox.elevateprivileges */
QEMU_CAPS_QUERY_CPUS_FAST, /* query-cpus-fast command */
QEMU_CAPS_DISK_WRITE_CACHE, /* qemu block frontends support write-cache param */
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index f27246b4c6..37113a433a 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9517,8 +9517,8 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd,
return 0;
}
- /* Use blacklist by default if supported */
- if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
+ /* Block undesirable syscall groups by default if supported */
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_FILTER_GROUPS)) {
While 'filter groups' describes the underlying QEMU functionality
better, we only use it to deny syscalls. So using 'blocklist' as
proposed in the RFC you linked would better show the contrast between
this and the old approach.
virCommandAddArgList(cmd, "-sandbox",
"on,obsolete=deny,elevateprivileges=deny,"
"spawn=deny,resourcecontrol=deny",
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 72874ee4fd..56ec5c0352 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -3851,9 +3851,13 @@ qemuDomainObjPrivateXMLParse(xmlXPathContextPtr ctxt,
if (str) {
int flag = virQEMUCapsTypeFromString(str);
if (flag < 0) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Unknown qemu capabilities flag %s"),
str);
- goto error;
+ if (g_str_equal(str, "seccomp-blacklist")) {
+ flag = QEMU_CAPS_SECCOMP_FILTER_GROUPS;
I'd just leave the XML as-is, to avoid introducing this special-casing.
Jano
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unknown qemu capabilities flag %s"),
str);
+ goto error;
+ }
}
virQEMUCapsSet(qemuCaps, flag);
}