aboutsummaryrefslogtreecommitdiff
path: root/qemu-seccomp.c
diff options
context:
space:
mode:
authorEduardo Otubo <otubo@redhat.com>2017-03-13 22:16:01 +0100
committerEduardo Otubo <otubo@redhat.com>2017-09-15 10:15:06 +0200
commit995a226f880b807e05240e8752d6ce65679775be (patch)
tree52c583395208ab69f6deb0bed685aeb3eefefbe0 /qemu-seccomp.c
parent73a1e647256b09734ce64ef7a6001a0db03f7106 (diff)
downloadqemu-995a226f880b807e05240e8752d6ce65679775be.zip
qemu-995a226f880b807e05240e8752d6ce65679775be.tar.gz
qemu-995a226f880b807e05240e8752d6ce65679775be.tar.bz2
seccomp: add spawn argument to command line
This patch adds [,spawn=deny] argument to `-sandbox on' option. It blacklists fork and execve system calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo <otubo@redhat.com>
Diffstat (limited to 'qemu-seccomp.c')
-rw-r--r--qemu-seccomp.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 978d66b..f3878a5 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -78,6 +78,10 @@ static const struct QemuSeccompSyscall blacklist[] = {
{ SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED },
{ SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED },
{ SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED },
+ /* spawn */
+ { SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN },
+ { SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN },
+ { SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN },
};