Commit Graph

4 Commits

Author SHA1 Message Date
Paul Moore
fd21faadb1 seccomp: add the asynchronous I/O syscalls to the whitelist
In order to enable the asynchronous I/O functionality when using the
seccomp sandbox we need to add the associated syscalls to the
whitelist.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Reviewed-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Message-id: 20130529203001.20939.83322.stgit@localhost
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-05-30 11:46:07 -05:00
Paolo Bonzini
9c17d615a6 softmmu: move include files to include/sysemu/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-19 08:32:45 +01:00
Eduardo Otubo
fe512d65e0 seccomp: adding new syscalls (bugzilla 855162)
According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist when using Qemu with Libvirt.

[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162

Reported-by: Paul Moore <pmoore@redhat.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-11-30 08:27:27 -06:00
Eduardo Otubo
2f668be775 Adding qemu-seccomp.[ch] (v8)
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
v1:
 - I added a syscall struct using priority levels as described in the
   libseccomp man page. The priority numbers are based to the frequency
   they appear in a sample strace from a regular qemu guest run under
   libvirt.

   Libseccomp generates linear BPF code to filter system calls, those rules
   are read one after another. The priority system places the most common
   rules first in order to reduce the overhead when processing them.

v1 -> v2:
 - Fixed some style issues
 - Removed code from vl.c and created qemu-seccomp.[ch]
 - Now using ARRAY_SIZE macro
 - Added more syscalls without priority/frequency set yet

v2 -> v3:
 - Adding copyright and license information
 - Replacing seccomp_whitelist_count just by ARRAY_SIZE
 - Adding header protection to qemu-seccomp.h
 - Moving QemuSeccompSyscall definition to qemu-seccomp.c
 - Negative return from seccomp_start is fatal now.
 - Adding open() and execve() to the whitelis

v3 -> v4:
 - Tests revealed a bigger set of syscalls.
 - seccomp_start() now has an argument to set the mode according to the
   configure option trap or kill.

v4 -> v5:
 - Tests on x86_64 required a new specific set of system calls.
 - libseccomp release 1.0.0: part of the API have changed in this last
   release, had to adapt to the new function signatures.
2012-08-16 13:41:16 -05:00