qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist

From: Eduardo Otubo
Subject: Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist
Date: Fri, 30 Aug 2013 11:22:48 -0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130621 Thunderbird/17.0.7 


On 08/29/2013 05:56 AM, Paolo Bonzini wrote:

Il 29/08/2013 10:34, Stefan Hajnoczi ha scritto:

On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:

Now there's a second whitelist, right before the vcpu starts. The second
whitelist is the same as the first one, except for exec() and select().


-netdev tap,downscript=/path/to/script requires exec() in the QEMU
shutdown code path.  Will this work with seccomp?


It won't by design (seccomp is supposed to run with file descriptor
passing).

However, removing select() seems a bit risky.  We cannot exclude that
external libraries are not using it instead of, say, poll.

BTW, recent QEMU is using ppoll instead of poll; does the whitelist
require an update?
It might need some update, yes. I'll run some other tests with this specific syscall and, if needed, I'll send another patch for the whitelist update. 

Thanks for pointing that, Paolo.



Paolo



--
Eduardo Otubo
IBM Linux Technology Center
reply via email to
[Prev in Thread] Current Thread [Next in Thread]