[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvise64(
|
From: |
Philipp Gesang |
|
Subject: |
[Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch() |
|
Date: |
Fri, 5 Sep 2014 18:29:31 +0200 |
fallocate() is needed for snapshotting. If it isn’t whitelisted
$ qemu-img create -f qcow2 x.qcow 1G
Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off
cluster_size=65536 lazy_refcounts=off
$ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
QEMU 2.1.50 monitor - type 'help' for more information
(qemu) savevm foo
(qemu) loadvm foo
will fail, as will subsequent savevm commands on the same image.
fadvise64(), inotify_init1(), inotify_add_watch() are needed by
the SDL display. Without the whitelist entries,
qemu-kvm -sandbox on
fails immediately.
In my tests fadvise64() is called 50--51 times per VM run. That
number seems independent of the duration of the run. fallocate(),
inotify_init1(), inotify_add_watch() are called once each.
Accordingly, they are added to the whitelist at a very low
priority.
Signed-off-by: Philipp Gesang <address@hidden>
---
qemu-seccomp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 0503764..af6a375 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -231,7 +231,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[]
= {
{ SCMP_SYS(shmctl), 240 },
{ SCMP_SYS(mlock), 240 },
{ SCMP_SYS(munlock), 240 },
- { SCMP_SYS(semctl), 240 }
+ { SCMP_SYS(semctl), 240 },
+ { SCMP_SYS(fallocate), 240 },
+ { SCMP_SYS(fadvise64), 240 },
+ { SCMP_SYS(inotify_init1), 240 },
+ { SCMP_SYS(inotify_add_watch), 240 }
};
int seccomp_start(void)
--
1.9.3
- [Qemu-devel] [PATCH] seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch(),
Philipp Gesang <=