On Fri, Sep 5, 2014 at 6:29 PM, Philipp Gesang <philipp.ges...@intra2net.com> wrote: > fallocate() is needed for snapshotting. If it isn’t whitelisted > > $ qemu-img create -f qcow2 x.qcow 1G > Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off > cluster_size=65536 lazy_refcounts=off > $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow > QEMU 2.1.50 monitor - type 'help' for more information > (qemu) savevm foo > (qemu) loadvm foo > > will fail, as will subsequent savevm commands on the same image. > > fadvise64(), inotify_init1(), inotify_add_watch() are needed by > the SDL display. Without the whitelist entries, > > qemu-kvm -sandbox on > > fails immediately. > > In my tests fadvise64() is called 50--51 times per VM run. That > number seems independent of the duration of the run. fallocate(), > inotify_init1(), inotify_add_watch() are called once each. > Accordingly, they are added to the whitelist at a very low > priority.
Just realized my ACK was just for you not the list, so: ACK. I just had some major problems last week that are still open, so I'll try to manage a pull request ASAP. Sorry for the delay. Thanks for the patch. > > Signed-off-by: Philipp Gesang <philipp.ges...@intra2net.com> > --- > qemu-seccomp.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/qemu-seccomp.c b/qemu-seccomp.c > index 0503764..af6a375 100644 > --- a/qemu-seccomp.c > +++ b/qemu-seccomp.c > @@ -231,7 +231,11 @@ static const struct QemuSeccompSyscall > seccomp_whitelist[] = { > { SCMP_SYS(shmctl), 240 }, > { SCMP_SYS(mlock), 240 }, > { SCMP_SYS(munlock), 240 }, > - { SCMP_SYS(semctl), 240 } > + { SCMP_SYS(semctl), 240 }, > + { SCMP_SYS(fallocate), 240 }, > + { SCMP_SYS(fadvise64), 240 }, > + { SCMP_SYS(inotify_init1), 240 }, > + { SCMP_SYS(inotify_add_watch), 240 } > }; > > int seccomp_start(void) > -- > 1.9.3 > -- Eduardo Otubo ProfitBricks