Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug

From:	Corey Bryant
Subject:	Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug
Date:	Wed, 24 Oct 2012 10:18:01 -0400
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121009 Thunderbird/16.0



On 10/18/2012 11:15 AM, Paolo Bonzini wrote:

Il 17/10/2012 15:15, Eduardo Otubo ha scritto:

With the inclusion of the new "double whitelist" seccomp filter, Qemu
won't be able to execve() in runtime, thus, no hotplug net devices
allowed.

Signed-off-by: Eduardo Otubo <address@hidden>


Please check this in net_init_tap instead.  When using libvirt, hotplug
is done with a completely different mechanism that involves
file-descriptor passing and does not require executing a helper.

Paolo

Are you sure net_init_tap() is the right place for this check? We onlywant to prevent execve() after main_loop() is entered. In other wordswe want to allow execve() caused by a command line option (e.g. -nettap) but we want to prevent execve() when it is the result of a monitorcommand (e.g. netdev_add tap).

---
  hmp.c |  6 ++++++
  net.c | 13 +++++++++++++
  2 files changed, 19 insertions(+)

diff --git a/hmp.c b/hmp.c
index 70bdec2..f258338 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1091,6 +1091,12 @@ void hmp_netdev_add(Monitor *mon, const QDict *qdict)
      Error *err = NULL;
      QemuOpts *opts;

+#ifdef CONFIG_SECCOMP
+    error_set(&err, ERROR_CLASS_GENERIC_ERROR,
+            "Cannot hotplug TAP device when -sandbox is in effect");
+    goto out;
+#endif
+
      opts = qemu_opts_from_qdict(qemu_find_opts("netdev"), qdict, &err);
      if (error_is_set(&err)) {
          goto out;
diff --git a/net.c b/net.c
index ae4bc0d..a652ee9 100644
--- a/net.c
+++ b/net.c
@@ -752,6 +752,12 @@ void net_host_device_add(Monitor *mon, const QDict *qdict)
      Error *local_err = NULL;
      QemuOpts *opts;

+#ifdef CONFIG_SECCOMP
+    error_set(&local_err, ERROR_CLASS_GENERIC_ERROR,
+            "Cannot hotplug TAP device when -sandbox is in effect");
+    goto out;
+#endif
+
      if (!net_host_check_device(device)) {
          monitor_printf(mon, "invalid host network device %s\n", device);
          return;
@@ -765,6 +771,7 @@ void net_host_device_add(Monitor *mon, const QDict *qdict)
      qemu_opt_set(opts, "type", device);

      net_client_init(opts, 0, &local_err);
+out:
      if (error_is_set(&local_err)) {
          qerror_report_err(local_err);
          error_free(local_err);
@@ -800,6 +807,12 @@ int qmp_netdev_add(Monitor *mon, const QDict *qdict, 
QObject **ret)
      QemuOptsList *opts_list;
      QemuOpts *opts;

+#ifdef CONFIG_SECCOMP
+    error_set(&local_err, ERROR_CLASS_GENERIC_ERROR,
+            "Cannot hotplug TAP device when -sandbox is in effect");
+    goto exit_err;
+#endif
+
      opts_list = qemu_find_opts_err("netdev", &local_err);
      if (error_is_set(&local_err)) {
          goto exit_err;


--
Regards,
Corey Bryant

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH 2/4] Setting "-sandbox on" as deafult, (continued)
- [Qemu-devel] [PATCH 3/4] Support for "double whitelist" filters, Eduardo Otubo, 2012/10/17
  - Re: [Qemu-devel] [PATCH 3/4] Support for "double whitelist" filters, Blue Swirl, 2012/10/19
    - Re: [Qemu-devel] [PATCH 3/4] Support for "double whitelist" filters, Corey Bryant, 2012/10/19
    - Re: [Qemu-devel] [PATCH 3/4] Support for "double whitelist" filters, Eric Blake, 2012/10/19
    - Re: [Qemu-devel] [PATCH 3/4] Support for "double whitelist" filters, Corey Bryant, 2012/10/19
  - Re: [Qemu-devel] [PATCH 3/4] Support for "double whitelist" filters, Corey Bryant, 2012/10/19
- [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Eduardo Otubo, 2012/10/17
  - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Corey Bryant, 2012/10/18
  - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Paolo Bonzini, 2012/10/18
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Corey Bryant <=
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Corey Bryant, 2012/10/24
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Paolo Bonzini, 2012/10/24
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Corey Bryant, 2012/10/24
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Paolo Bonzini, 2012/10/24
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Corey Bryant, 2012/10/24
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Corey Bryant, 2012/10/24
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Paolo Bonzini, 2012/10/25
    - Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug, Corey Bryant, 2012/10/26
- Re: [Qemu-devel] [PATCH 1/4] Adding new syscalls (bugzilla 855162), Corey Bryant, 2012/10/19

Prev by Date: [Qemu-devel] [PATCH 16/32] qemu-ga: move qemu-ga files to qga/
Next by Date: [Qemu-devel] [PATCH 17/32] ui: move files to ui/ and include/ui/
Previous by thread: Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug
Next by thread: Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug
Index(es):
- Date
- Thread