[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH V1 24/26] seccomp: cpr-exec blocker
|
From: |
Steve Sistare |
|
Subject: |
[PATCH V1 24/26] seccomp: cpr-exec blocker |
|
Date: |
Mon, 29 Apr 2024 08:55:33 -0700 |
cpr-exec mode needs permission to exec. Block it if permission is denied.
Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
---
include/sysemu/seccomp.h | 1 +
system/qemu-seccomp.c | 10 ++++++++--
system/vl.c | 6 ++++++
3 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
index fe85989..023c0a1 100644
--- a/include/sysemu/seccomp.h
+++ b/include/sysemu/seccomp.h
@@ -22,5 +22,6 @@
#define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4)
int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp);
+uint32_t qemu_seccomp_get_opts(void);
#endif
diff --git a/system/qemu-seccomp.c b/system/qemu-seccomp.c
index 5c20ac0..0d2a561 100644
--- a/system/qemu-seccomp.c
+++ b/system/qemu-seccomp.c
@@ -360,12 +360,18 @@ static int seccomp_start(uint32_t seccomp_opts, Error
**errp)
return rc < 0 ? -1 : 0;
}
+static uint32_t seccomp_opts;
+
+uint32_t qemu_seccomp_get_opts(void)
+{
+ return seccomp_opts;
+}
+
int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
{
if (qemu_opt_get_bool(opts, "enable", false)) {
- uint32_t seccomp_opts = QEMU_SECCOMP_SET_DEFAULT
- | QEMU_SECCOMP_SET_OBSOLETE;
const char *value = NULL;
+ seccomp_opts = QEMU_SECCOMP_SET_DEFAULT | QEMU_SECCOMP_SET_OBSOLETE;
value = qemu_opt_get(opts, "obsolete");
if (value) {
diff --git a/system/vl.c b/system/vl.c
index 7252100..b76881e 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -76,6 +76,7 @@
#include "hw/block/block.h"
#include "hw/i386/x86.h"
#include "hw/i386/pc.h"
+#include "migration/blocker.h"
#include "migration/cpr.h"
#include "migration/misc.h"
#include "migration/snapshot.h"
@@ -2493,6 +2494,11 @@ static void qemu_process_early_options(void)
QemuOptsList *olist = qemu_find_opts_err("sandbox", NULL);
if (olist) {
qemu_opts_foreach(olist, parse_sandbox, NULL, &error_fatal);
+ if (qemu_seccomp_get_opts() & QEMU_SECCOMP_SET_SPAWN) {
+ Error *blocker = NULL;
+ error_setg(&blocker, "-sandbox denies exec for cpr-exec");
+ migrate_add_blocker_mode(&blocker, MIG_MODE_CPR_EXEC,
&error_fatal);
+ }
}
#endif
--
1.8.3.1
- [PATCH V1 02/26] vl: helper to request re-exec, (continued)
- [PATCH V1 02/26] vl: helper to request re-exec, Steve Sistare, 2024/04/29
- [PATCH V1 01/26] oslib: qemu_clear_cloexec, Steve Sistare, 2024/04/29
- [PATCH V1 06/26] migration: precreate vmstate for exec, Steve Sistare, 2024/04/29
- [PATCH V1 11/26] migration: vmstate_register at init time, Steve Sistare, 2024/04/29
- [PATCH V1 12/26] migration: vmstate factory object, Steve Sistare, 2024/04/29
- [PATCH V1 04/26] migration: delete unused parameter mis, Steve Sistare, 2024/04/29
- [PATCH V1 03/26] migration: SAVEVM_FOREACH, Steve Sistare, 2024/04/29
- [PATCH V1 05/26] migration: precreate vmstate, Steve Sistare, 2024/04/29
- [PATCH V1 22/26] migration: ram block cpr-exec blockers, Steve Sistare, 2024/04/29
- [PATCH V1 10/26] migration: vmstate_unregister_named, Steve Sistare, 2024/04/29
- [PATCH V1 24/26] seccomp: cpr-exec blocker,
Steve Sistare <=
- [PATCH V1 09/26] migration: vmstate_register_named, Steve Sistare, 2024/04/29
- [PATCH V1 07/26] migration: VMStateId, Steve Sistare, 2024/04/29
- [PATCH V1 25/26] migration: fix mismatched GPAs during cpr-exec, Steve Sistare, 2024/04/29
- [PATCH V1 17/26] machine: memfd-alloc option, Steve Sistare, 2024/04/29
- [PATCH V1 19/26] physmem: preserve ram blocks for cpr, Steve Sistare, 2024/04/29
- [PATCH V1 26/26] migration: only-migratable-modes, Steve Sistare, 2024/04/29
- [PATCH V1 15/26] physmem: hoist host memory allocation, Steve Sistare, 2024/04/29
- [PATCH V1 14/26] physmem: hoist guest_memfd creation, Steve Sistare, 2024/04/29
- [PATCH V1 18/26] migration: cpr-exec-args parameter, Steve Sistare, 2024/04/29
- [PATCH V1 20/26] migration: cpr-exec mode, Steve Sistare, 2024/04/29