Introduce QEMU_CAPS_SECCOMP_BLACKLIST

QEMU commit 1bd6152 changed the default behavior from whitelist
to blacklist and introduced a few sets of system calls.

Use the 'elevateprivileges' parameter of -sandbox as a witness
of this change.

https://bugzilla.redhat.com/show_bug.cgi?id=1492597

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 1dae5409621ca01624c604ddb2d628ae564ae956..f379fc6d229a55fd0fd12ca9596086b8669e5e85 100644 (file)
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -468,6 +468,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
               "virtio-tablet-ccw",
               "qcow2-luks",
               "pcie-pci-bridge",
+              "seccomp-blacklist",
     );
 
 
@@ -2419,6 +2420,7 @@ static struct virQEMUCapsCommandLineProps virQEMUCapsCommandLine[] = {
     { "machine", "loadparm", QEMU_CAPS_LOADPARM },
     { "vnc", "vnc", QEMU_CAPS_VNC_MULTI_SERVERS },
     { "chardev", "reconnect", QEMU_CAPS_CHARDEV_RECONNECT },
+    { "sandbox", "elevateprivileges", QEMU_CAPS_SECCOMP_BLACKLIST },
 };
 
 static int

diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 7d000b1513211eb3cb561c9ba448f0a9d86e7800..200e9106576b5d736717d1f3c95471a2eabd580c 100644 (file)
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -452,6 +452,7 @@ typedef enum {
     QEMU_CAPS_DEVICE_VIRTIO_TABLET_CCW, /* -device virtio-tablet-ccw */
     QEMU_CAPS_QCOW2_LUKS, /* qcow2 format support LUKS encryption */
     QEMU_CAPS_DEVICE_PCIE_PCI_BRIDGE, /* -device pcie-pci-bridge */
+    QEMU_CAPS_SECCOMP_BLACKLIST, /* -sandbox.elevateprivileges */
 
     QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;

diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
index cf0648fbfd9a66d92e789e79dfff37fdc78eac11..eb6ae2f39e13dfd4bce87fd03d605ffc758831c8 100644 (file)
--- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
@@ -116,6 +116,7 @@
   <flag name='virtio-mouse-ccw'/>
   <flag name='virtio-tablet-ccw'/>
   <flag name='qcow2-luks'/>
+  <flag name='seccomp-blacklist'/>
   <version>2011000</version>
   <kvmVersion>0</kvmVersion>
   <microcodeVersion>342058</microcodeVersion>

diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
index 34055b4e71a80296d4c9a90f544ab4a3d9a964d7..65cfbf41a4ba4c3ec90bc3bd325d42a15487e137 100644 (file)
--- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
@@ -154,6 +154,7 @@
   <flag name='dump-completed'/>
   <flag name='qcow2-luks'/>
   <flag name='pcie-pci-bridge'/>
+  <flag name='seccomp-blacklist'/>
   <version>2011090</version>
   <kvmVersion>0</kvmVersion>
   <microcodeVersion>342346</microcodeVersion>

diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
index d19f35dbba06965f956d0df38d9a9600298b3eca..53c1a2a524d39f12ac79e6e2450f51cb9a2c08cf 100644 (file)
--- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
@@ -151,6 +151,7 @@
   <flag name='machine.pseries.max-cpu-compat'/>
   <flag name='dump-completed'/>
   <flag name='qcow2-luks'/>
+  <flag name='seccomp-blacklist'/>
   <version>2011090</version>
   <kvmVersion>0</kvmVersion>
   <microcodeVersion>419215</microcodeVersion>

diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
index 24220943f2d9804dd431e10b7f3afe98cf3d83b4..9523cb004d36fb9e317c8193e86a82e68abf815f 100644 (file)
--- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
@@ -116,6 +116,7 @@
   <flag name='virtio-mouse-ccw'/>
   <flag name='virtio-tablet-ccw'/>
   <flag name='qcow2-luks'/>
+  <flag name='seccomp-blacklist'/>
   <version>2011090</version>
   <kvmVersion>0</kvmVersion>
   <microcodeVersion>0</microcodeVersion>

diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
index 3d79d7f309490d12effd15fefe5a2c3a6da54ece..4a1f2191dcfbcdbf26fcee442b16a0142a600bd7 100644 (file)
--- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
@@ -192,6 +192,7 @@
   <flag name='dump-completed'/>
   <flag name='qcow2-luks'/>
   <flag name='pcie-pci-bridge'/>
+  <flag name='seccomp-blacklist'/>
   <version>2011090</version>
   <kvmVersion>0</kvmVersion>
   <microcodeVersion>390060</microcodeVersion>