seccomp branch queue

-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJWSZjUAAoJEP0M/1sS+L0vR3oH/3mlk8bMtuiNZbKE7SlwL7Nu
 7NdOnYlPHyX+wAV/dpjUf4WXIqAy0c01zOcy3a1uWslW52NgDU7Xn9sT5+j6Kc87
 PbRhWcN3tvApKgi2KD/il3/z7KnC6BUMbnsfIDM7ZAsejOshF69p72XVJmcsrsgK
 +J/2HD9RobJMt86JceaFRoWe5wBWp2AFydWcjOePqFkzcj6sHnQNbMl9YM8jw6/8
 nTc7NnK5DDYY+wgOBb14ywPhMLZBbjDHRoTGRhojx0HFd3/NcKUMxzgVqF/7A+2Y
 XZ2OE4yFe2Z8hQeCnE1wuUrgyqYgwOiVVgCk8ovHxYeqVzej8Qu863qQT4E56Bo=
 =dH0/
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20151116' into staging

seccomp branch queue

# gpg: Signature made Mon 16 Nov 2015 08:50:28 GMT using RSA key ID 12F8BD2F
# gpg: Good signature from "Eduardo Otubo (Software Engineer @ ProfitBricks) <eduardo.otubo@profitbricks.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 1C96 46B6 E1D1 C38A F2EC  3FDE FD0C FF5B 12F8 BD2F

* remotes/otubo/tags/pull-seccomp-20151116:
  seccomp: loosen library version dependency
  configure: arm/aarch64: allow enable-seccomp
  seccomp: add cacheflush to whitelist

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2015-11-16 12:09:47 +00:00
commit c257779e2a
2 changed files with 37 additions and 8 deletions

32
configure vendored
View File

@ -1888,16 +1888,34 @@ fi
# libseccomp check # libseccomp check
if test "$seccomp" != "no" ; then if test "$seccomp" != "no" ; then
if test "$cpu" = "i386" || test "$cpu" = "x86_64" && case "$cpu" in
$pkg_config --atleast-version=2.1.1 libseccomp; then i386|x86_64)
libseccomp_minver="2.1.0"
;;
arm|aarch64)
libseccomp_minver="2.2.3"
;;
*)
libseccomp_minver=""
;;
esac
if test "$libseccomp_minver" != "" &&
$pkg_config --atleast-version=$libseccomp_minver libseccomp ; then
libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`" libs_softmmu="$libs_softmmu `$pkg_config --libs libseccomp`"
QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`" QEMU_CFLAGS="$QEMU_CFLAGS `$pkg_config --cflags libseccomp`"
seccomp="yes" seccomp="yes"
else else
if test "$seccomp" = "yes"; then if test "$seccomp" = "yes" ; then
feature_not_found "libseccomp" "Install libseccomp devel >= 2.1.1" if test "$libseccomp_minver" != "" ; then
fi feature_not_found "libseccomp" \
seccomp="no" "Install libseccomp devel >= $libseccomp_minver"
else
feature_not_found "libseccomp" \
"libseccomp is not supported for host cpu $cpu"
fi
fi
seccomp="no"
fi fi
fi fi
########################################## ##########################################

View File

@ -16,6 +16,14 @@
#include <seccomp.h> #include <seccomp.h>
#include "sysemu/seccomp.h" #include "sysemu/seccomp.h"
#if SCMP_VER_MAJOR >= 3
#define HAVE_CACHEFLUSH
#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 3
#define HAVE_CACHEFLUSH
#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 2 && SCMP_VER_MICRO >= 3
#define HAVE_CACHEFLUSH
#endif
struct QemuSeccompSyscall { struct QemuSeccompSyscall {
int32_t num; int32_t num;
uint8_t priority; uint8_t priority;
@ -238,7 +246,10 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(inotify_init1), 240 }, { SCMP_SYS(inotify_init1), 240 },
{ SCMP_SYS(inotify_add_watch), 240 }, { SCMP_SYS(inotify_add_watch), 240 },
{ SCMP_SYS(mbind), 240 }, { SCMP_SYS(mbind), 240 },
{ SCMP_SYS(memfd_create), 240 } { SCMP_SYS(memfd_create), 240 },
#ifdef HAVE_CACHEFLUSH
{ SCMP_SYS(cacheflush), 240 },
#endif
}; };
int seccomp_start(void) int seccomp_start(void)