aboutsummaryrefslogtreecommitdiff
path: root/qemu-seccomp.c
diff options
context:
space:
mode:
authorPhilipp Gesang <philipp.gesang@intra2net.com>2014-09-05 18:29:31 +0200
committerEduardo Otubo <eduardo.otubo@profitbricks.com>2014-11-11 17:01:35 +0100
commitf73adec7097ebdbc7168453e638735391a6f7112 (patch)
tree269ecc21b0b76cf33ba1ceae1b8d3fa2dbcafdbe /qemu-seccomp.c
parent6e76d125f244e10676b917208f2a074729820246 (diff)
downloadqemu-f73adec7097ebdbc7168453e638735391a6f7112.zip
qemu-f73adec7097ebdbc7168453e638735391a6f7112.tar.gz
qemu-f73adec7097ebdbc7168453e638735391a6f7112.tar.bz2
seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()
fallocate() is needed for snapshotting. If it isn’t whitelisted $ qemu-img create -f qcow2 x.qcow 1G Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow QEMU 2.1.50 monitor - type 'help' for more information (qemu) savevm foo (qemu) loadvm foo will fail, as will subsequent savevm commands on the same image. fadvise64(), inotify_init1(), inotify_add_watch() are needed by the SDL display. Without the whitelist entries, qemu-kvm -sandbox on fails immediately. In my tests fadvise64() is called 50--51 times per VM run. That number seems independent of the duration of the run. fallocate(), inotify_init1(), inotify_add_watch() are called once each. Accordingly, they are added to the whitelist at a very low priority. Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
Diffstat (limited to 'qemu-seccomp.c')
-rw-r--r--qemu-seccomp.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 0503764..af6a375 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -231,7 +231,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(shmctl), 240 },
{ SCMP_SYS(mlock), 240 },
{ SCMP_SYS(munlock), 240 },
- { SCMP_SYS(semctl), 240 }
+ { SCMP_SYS(semctl), 240 },
+ { SCMP_SYS(fallocate), 240 },
+ { SCMP_SYS(fadvise64), 240 },
+ { SCMP_SYS(inotify_init1), 240 },
+ { SCMP_SYS(inotify_add_watch), 240 }
};
int seccomp_start(void)