9:28 a.m.
Inspired by Peter's q-c-l-o cleanups.
Ján Tomko (5):
qemu: always assume QEMU_CAPS_SECCOMP_BLACKLIST
qemu: conf: simplify seccomp_sandbox comment
qemu: seccomp: remove dead code
qemu: capabilities: deprecate QEMU_CAPS_SECCOMP_BLACKLIST
qemu: capabilities: do not look at parameters for sandbox
src/qemu/qemu.conf | 11 +++++------
src/qemu/qemu_capabilities.c | 5 ++---
src/qemu/qemu_capabilities.h | 2 +-
src/qemu/qemu_command.c | 7 +------
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml | 1 -
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 -
43 files changed, 9 insertions(+), 55 deletions(-)
--
2.31.1
9:28 a.m.
New subject: [libvirt PATCH 1/5] qemu: always assume QEMU_CAPS_SECCOMP_BLACKLIST
elevateprivileges was introduced by QEMU commit:
73a1e64725 "seccomp: add elevateprivileges argument to command line"
released in 2.11.0
and later made conditional on SECCOMP support by:
9d0fdecbad sandbox: disable -sandbox if CONFIG_SECCOMP undefined
Use the existence of the sandbox option as a witness for its support.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu_command.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index b60ee1192b..fa9998a191 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -10120,7 +10120,7 @@ qemuBuildSeccompSandboxCommandLine(virCommand *cmd,
}
/* Use blacklist by default if supported */
- if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX)) {
virCommandAddArgList(cmd, "-sandbox",
"on,obsolete=deny,elevateprivileges=deny,"
"spawn=deny,resourcecontrol=deny",
--
2.31.1
9:28 a.m.
New subject: [libvirt PATCH 2/5] qemu: conf: simplify seccomp_sandbox comment
It contains too many negations and conditions that are
no longer relevant now that we only support QEMU >= 2.11.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu.conf | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 8722dc169c..71fd125699 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -769,13 +769,12 @@
-# Use seccomp syscall sandbox in QEMU.
-# 1 == seccomp enabled, 0 == seccomp disabled
+# Use seccomp syscall filtering sandbox in QEMU.
+# 1 == filter enabled, 0 == filter disabled
#
-# If it is unset (or -1), then seccomp will be enabled
-# only if QEMU >= 2.11.0 is detected, otherwise it is
-# left disabled. This ensures the default config gets
-# protection for new QEMU using the blacklist approach.
+# Unless this option is disabled, QEMU will be run with
+# a seccomp filter that stops it from executing certain
+# syscalls.
#
#seccomp_sandbox = 1
--
2.31.1
9:28 a.m.
New subject: [libvirt PATCH 3/5] qemu: seccomp: remove dead code
There is no QEMU we support that would need the old syntax
for -sandbox on.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu_command.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index fa9998a191..48df8818a6 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -10119,7 +10119,6 @@ qemuBuildSeccompSandboxCommandLine(virCommand *cmd,
return 0;
}
- /* Use blacklist by default if supported */
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX)) {
virCommandAddArgList(cmd, "-sandbox",
"on,obsolete=deny,elevateprivileges=deny,"
@@ -10128,10 +10127,6 @@ qemuBuildSeccompSandboxCommandLine(virCommand *cmd,
return 0;
}
- /* Seccomp whitelist is opt-in */
- if (cfg->seccompSandbox > 0)
- virCommandAddArgList(cmd, "-sandbox", "on", NULL);
-
return 0;
}
--
2.31.1
9:28 a.m.
New subject: [libvirt PATCH 4/5] qemu: capabilities: deprecate QEMU_CAPS_SECCOMP_BLACKLIST
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 3 +--
src/qemu/qemu_capabilities.h | 2 +-
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml | 1 -
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 -
41 files changed, 2 insertions(+), 42 deletions(-)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index db5432c9fc..4f18a2488a 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -468,7 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
/* 285 */
"qcow2-luks", /* QEMU_CAPS_QCOW2_LUKS */
"pcie-pci-bridge", /* QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE */
- "seccomp-blacklist", /* QEMU_CAPS_SECCOMP_BLACKLIST */
+ "seccomp-blacklist", /* X_QEMU_CAPS_SECCOMP_BLACKLIST */
"query-cpus-fast", /* QEMU_CAPS_QUERY_CPUS_FAST */
"disk-write-cache", /* QEMU_CAPS_DISK_WRITE_CACHE */
@@ -3209,7 +3209,6 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] =
{
{ "numa", NULL, QEMU_CAPS_NUMA }, /* not needed after qemuCaps->version
< 3000000 */
{ "overcommit", NULL, QEMU_CAPS_OVERCOMMIT },
{ "sandbox", "enable", QEMU_CAPS_SECCOMP_SANDBOX },
- { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
{ "spice", "gl", QEMU_CAPS_SPICE_GL },
{ "spice", "unix", QEMU_CAPS_SPICE_UNIX },
{ "spice", "rendernode", QEMU_CAPS_SPICE_RENDERNODE },
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 097f28bd40..786c695880 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -448,7 +448,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check
*/
/* 285 */
QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
- QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
+ X_QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
QEMU_CAPS_QUERY_CPUS_FAST, /* query-cpus-fast command */
QEMU_CAPS_DISK_WRITE_CACHE, /* qemu block frontends support write-cache param */
diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
index f2a89d5c58..602b7ea10f 100644
--- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
@@ -79,7 +79,6 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
<flag name='pr-manager-helper'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
index 1e08a04c82..8749f4ee64 100644
--- a/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
@@ -149,7 +149,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
<flag name='pr-manager-helper'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
index 3b01fef4f1..6e2daa8cea 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
@@ -112,7 +112,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
index a808015ab2..bc6d8ac396 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
@@ -108,7 +108,6 @@
<flag name='machine.pseries.max-cpu-compat'/>
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
index 288aba3bc0..d66adcd8f4 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
@@ -79,7 +79,6 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
index 43060efbac..984529f5f5 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
@@ -146,7 +146,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
index 4c48c2ced2..fcfaef079a 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
@@ -107,7 +107,6 @@
<flag name='machine.pseries.max-cpu-compat'/>
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
index e8fabd1817..7b4ca7c0a4 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
@@ -52,7 +52,6 @@
<flag name='disk-share-rw'/>
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
index 1ac6e45ddc..4a3d105ef8 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
@@ -52,7 +52,6 @@
<flag name='disk-share-rw'/>
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
index 1a2b45f43b..d7a2526463 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
@@ -81,7 +81,6 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
index 35284d476d..5d4927a7e8 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
@@ -148,7 +148,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
index 5f15ce0b99..9a7be45ee9 100644
--- a/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
@@ -108,7 +108,6 @@
<flag name='machine.pseries.max-cpu-compat'/>
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
index b1f326c32b..4e56e62908 100644
--- a/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
@@ -148,7 +148,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
index de7a495266..bc4e8032e7 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
@@ -113,7 +113,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
index d5dd46105e..b312e77f99 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
@@ -115,7 +115,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
index 4b3ff9c237..8518630324 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
@@ -115,7 +115,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
index 44903c3b8f..21e4cc7a2d 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
@@ -115,7 +115,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
index f17003a446..98d3ed773d 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
@@ -81,7 +81,6 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
index 512239c6c8..49a5dfb255 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
@@ -147,7 +147,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
index 2f7f9caf0c..8ebeae479f 100644
--- a/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
@@ -147,7 +147,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
index 57470c66d9..4a8eb0a02e 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
@@ -115,7 +115,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
index 6b2d2e0ea3..74dc0ff20c 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
@@ -115,7 +115,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
index 290de2730e..9531360c20 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
@@ -81,7 +81,6 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
index b8d53e0db1..826d7d7391 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
@@ -148,7 +148,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
index ac1ef84195..69a7e49170 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
@@ -117,7 +117,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
index 2708ac16f6..13e4f6c8bb 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
@@ -117,7 +117,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
index 6a90077c13..1244c3f3d3 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
@@ -115,7 +115,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
index c8934543bd..4e52632455 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
@@ -148,7 +148,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml
b/tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml
index 7b8abcd902..5e5e6f816b 100644
--- a/tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml
+++ b/tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml
@@ -44,7 +44,6 @@
<flag name='isa-serial'/>
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
index f17e502f75..bfead7e210 100644
--- a/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
@@ -147,7 +147,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml
index bc524d5e99..0a3128de5b 100644
--- a/tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml
@@ -116,7 +116,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml
index 82e89ba544..3e067e4e7e 100644
--- a/tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml
@@ -115,7 +115,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml
b/tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml
index 17d6245259..02c7ff8da1 100644
--- a/tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml
@@ -113,7 +113,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml
index 3a0d0b585a..fa207ffaf5 100644
--- a/tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml
@@ -79,7 +79,6 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
index e09880e937..d7ed08e12d 100644
--- a/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
@@ -147,7 +147,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_6.0.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_6.0.0.aarch64.xml
index d678d713ad..78da04a3e5 100644
--- a/tests/qemucapabilitiesdata/caps_6.0.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_6.0.0.aarch64.xml
@@ -117,7 +117,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml
index 1dc2f1fe19..a70a489d62 100644
--- a/tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml
@@ -79,7 +79,6 @@
<flag name='virtio-mouse-ccw'/>
<flag name='virtio-tablet-ccw'/>
<flag name='qcow2-luks'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml
index 571336c1fa..a84d5f30cf 100644
--- a/tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml
@@ -146,7 +146,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
diff --git a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
index 74b87847d0..f8f26eb9ff 100644
--- a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
@@ -145,7 +145,6 @@
<flag name='dump-completed'/>
<flag name='qcow2-luks'/>
<flag name='pcie-pci-bridge'/>
- <flag name='seccomp-blacklist'/>
<flag name='query-cpus-fast'/>
<flag name='disk-write-cache'/>
<flag name='nbd-tls'/>
--
2.31.1
9:28 a.m.
New subject: [libvirt PATCH 5/5] qemu: capabilities: do not look at parameters for sandbox
Assume the presence of the 'sandbox' option is enough,
no need to look at the parameters.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 4f18a2488a..bfb59965e2 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -3208,7 +3208,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] =
{
{ "machine", "kernel_irqchip", QEMU_CAPS_MACHINE_KERNEL_IRQCHIP
},
{ "numa", NULL, QEMU_CAPS_NUMA }, /* not needed after qemuCaps->version
< 3000000 */
{ "overcommit", NULL, QEMU_CAPS_OVERCOMMIT },
- { "sandbox", "enable", QEMU_CAPS_SECCOMP_SANDBOX },
+ { "sandbox", NULL, QEMU_CAPS_SECCOMP_SANDBOX },
{ "spice", "gl", QEMU_CAPS_SPICE_GL },
{ "spice", "unix", QEMU_CAPS_SPICE_UNIX },
{ "spice", "rendernode", QEMU_CAPS_SPICE_RENDERNODE },
--
2.31.1
3:11 a.m.
On 9/24/21 4:28 PM, Ján Tomko wrote:
Inspired by Peter's q-c-l-o cleanups.
Ján Tomko (5):
qemu: always assume QEMU_CAPS_SECCOMP_BLACKLIST
qemu: conf: simplify seccomp_sandbox comment
qemu: seccomp: remove dead code
qemu: capabilities: deprecate QEMU_CAPS_SECCOMP_BLACKLIST
qemu: capabilities: do not look at parameters for sandbox
src/qemu/qemu.conf | 11 +++++------
src/qemu/qemu_capabilities.c | 5 ++---
src/qemu/qemu_capabilities.h | 2 +-
src/qemu/qemu_command.c | 7 +------
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml | 1 -
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.aarch64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml | 1 -
tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 -
43 files changed, 9 insertions(+), 55 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Michal
1154
days inactive
1155
days old
6 comments
2 participants
participants (2)
-
Ján Tomko -
Michal Prívozník