qemu: only pass -sandbox off if supported

This way we don't rely on QEMU supplying the -sandbox option
without CONFIG_SECCOMP.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 56cf16dcd1215e71d9c2a8d3194ab580945f05ee..e1f430aafe35bc7fcaf55cb58f2dc153d8387b30 100644 (file)
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -9853,7 +9853,8 @@ qemuBuildSeccompSandboxCommandLine(virCommandPtr cmd,
                                    virQEMUCapsPtr qemuCaps ATTRIBUTE_UNUSED)
 {
     if (cfg->seccompSandbox == 0) {
-        virCommandAddArgList(cmd, "-sandbox", "off", NULL);
+        if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX))
+            virCommandAddArgList(cmd, "-sandbox", "off", NULL);
         return 0;
     }