qemu: add capability flag for seccomp sandbox

This series adds support to run QEMU with seccomp sandbox enabled. It can be
configured in qemu.conf to on, off, or the QEMU default, which is off in 1.2.
Default value is the QEMU default.

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index edfe1e7653ce6f75bc04a40e1483c09c2be75114..278b5509450a84d66858f7868b62dcbc824003bb 100644 (file)
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -179,6 +179,7 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
               "usb-redir.filter",
               "ide-drive.wwn",
               "scsi-disk.wwn",
+              "seccomp-sandbox",
     );
 
 struct _qemuCaps {
@@ -1199,6 +1200,8 @@ qemuCapsComputeCmdFlags(const char *help,
     }
     if (strstr(help, "-smbios type"))
         qemuCapsSet(caps, QEMU_CAPS_SMBIOS_TYPE);
+    if (strstr(help, "-sandbox"))
+        qemuCapsSet(caps, QEMU_CAPS_SECCOMP_SANDBOX);
 
     if ((netdev = strstr(help, "-netdev"))) {
         /* Disable -netdev on 0.12 since although it exists,

diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index fb1841a97367083cb73ddb46131b222bc55c2f8d..4da2a292e2b7d1ae324bd4fc005bc4c748157579 100644 (file)
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -144,6 +144,7 @@ enum qemuCapsFlags {
     QEMU_CAPS_USB_REDIR_FILTER   = 106, /* usb-redir.filter */
     QEMU_CAPS_IDE_DRIVE_WWN      = 107, /* Is ide-drive.wwn available? */
     QEMU_CAPS_SCSI_DISK_WWN      = 108, /* Is scsi-disk.wwn available? */
+    QEMU_CAPS_SECCOMP_SANDBOX    = 109, /* -sandbox */
 
     QEMU_CAPS_LAST,                   /* this must always be the last item */
 };