On Tue, Sep 11, 2012 at 02:58:19PM +0200, Ján Tomko wrote:
--- src/qemu/qemu.conf | 8 ++++++++ src/qemu/qemu_conf.c | 5 +++++ src/qemu/qemu_conf.h | 1 +
Also need to update src/qemu/libvirtd_qemu.aug for this - I am suprised 'make check' passed without doing this.
3 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6cd0d80..a2a0824 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -378,3 +378,11 @@ # #keepalive_interval = 5 #keepalive_count = 5 + + + +# Use seccomp syscall whitelisting in QEMU. +# 1 = on, 0 = off, -1 = use QEMU default +# Defaults to -1. +# +#sandbox = 1
Can we call this 'seccomp_sandbox', since 'sandbox' on its own is quite an overloaded term. eg we might yuse kernel namespaces in the future to sandbox things.
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index e9e15c5..f4a6077 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -129,6 +129,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
driver->keepAliveInterval = 5; driver->keepAliveCount = 5; + driver->sandbox = -1;
/* Just check the file is readable before opening it, otherwise * libvirt emits an error. @@ -570,6 +571,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, CHECK_TYPE("keepalive_count", VIR_CONF_LONG); if (p) driver->keepAliveCount = p->l;
+ p = virConfGetValue(conf, "sandbox"); + CHECK_TYPE("sandbox", VIR_CONF_LONG); + if (p) driver->sandbox = p->l; + virConfFree (conf); return 0; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index ac285f6..34b952f 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -152,6 +152,7 @@ struct qemud_driver {
int keepAliveInterval; unsigned int keepAliveCount; + int sandbox;
s/int/bool/ Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|