[libvirt] [RFC PATCH 0/2] qemu: deny privilege elevation and spawn in seccomp

QEMU changed the behavior of -sandbox on since 2.11 and it no longer whitelists all the possible calls. Override the meaning of seccomp_sandbox = 1 in qemu.conf to block the privilege elevation set and spawn set on top of the default. Do the same by default even if no option is specified, hoping that this should be enough for everybody (TM) Sending as RFC to ask whether: * this is a sensible default * a coarse setting like this is enough or it makes sense to expose the individual sets in qemu.conf (in that case - can I reasonably promote an int setting to a list of strings?) Ján Tomko (2): Introduce QEMU_CAPS_SECCOMP_BLACKLIST qemu: deny privilege elevation and spawn in seccomp src/qemu/qemu_capabilities.c | 2 ++ src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 10 +++++-- tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + tests/qemuxml2argvdata/minimal-sandbox.args | 25 ++++++++++++++++ tests/qemuxml2argvdata/minimal-sandbox.xml | 34 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 3 ++ 11 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.args create mode 100644 tests/qemuxml2argvdata/minimal-sandbox.xml -- 2.13.6