-offs, etc. please make it
elsewhere.
Apart form that, I would like to apologise for the time taken and all
the problems involved. I've been through some personal issues lately.
Won't happen again.
Regards,
--
Eduardo Otubo
IBM Linux Technology Center
On 04/14/2014 03:00 PM, Eduardo Otubo wrote:
From: Felix Geyer de...@fobos.de
libusb calls timerfd_create() and timerfd_settime() when it's built with
timerfd support.
Command to reproduce:
-device usb-host,hostbus=1,hostaddr=3,id=hostdev0
Log messages:
audit(1390730418.924:135
The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream' into
staging (2014-03-12 17:53:37 +)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
for you to fetch
stdio -sandbox on \
-device intel-hda -device hda-duplex
Signed-off-by: Paul Moore pmo...@redhat.com
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff
ioctl
704023 timerfd_settime
689105 poll
83122 futex
803 writev
476 rt_sigprocmask
287 recvmsg
178 brk
Signed-off-by: Felix Geyer de...@fobos.de
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu
On 03/24/2014 03:13 PM, Paul Moore wrote:
On Thursday, March 13, 2014 10:42:42 AM Eduardo Otubo wrote:
The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream'
into staging (2014-03-12 17:53:37 +
The following changes since commit 750036a848ea913ba6343718ffa70da98f7eef6b:
Merge remote-tracking branch 'remotes/afaerber/tags/prep-for-upstream' into
staging (2014-03-12 17:53:37 +)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
Felix Geyer (1):
stdio -sandbox on \
-device intel-hda -device hda-duplex
Signed-off-by: Paul Moore pmo...@redhat.com
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 46554bd
ioctl
704023 timerfd_settime
689105 poll
83122 futex
803 writev
476 rt_sigprocmask
287 recvmsg
178 brk
Signed-off-by: Felix Geyer de...@fobos.de
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |4 +++-
1 files changed, 3 insertions
tendinitis and
was unable to use a computer for the last week. :(
I ACK this patch and I'll create a pull request by friday EOD if nothing
else comes up.
--
Eduardo Otubo
IBM Linux Technology Center
The following changes since commit 2f61120c10da9128357510debc8e66880cd2bfdc:
Merge remote-tracking branch 'qmp-unstable/queue/qmp' into staging
(2014-02-01 23:32:31 +)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
Felix Geyer (1):
seccomp: add
...@redhat.com
Signed-off-by: Paul Moore pmo...@redhat.com
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 69cee44..cf07869 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
), 240 },
{ SCMP_SYS(shmat), 240 },
-{ SCMP_SYS(shmdt), 240 }
+{ SCMP_SYS(shmdt), 240 },
+{ SCMP_SYS(timerfd_create), 240 }
};
int seccomp_start(void)
ACK
--
Eduardo Otubo
IBM Linux Technology Center
(shmdt), 240 },
+{ SCMP_SYS(timerfd_create), 240 },
+{ SCMP_SYS(timerfd_settime), 240 }
Did you deliberately set the priority to 240? Or did you run any sort of
benchmark (strace) to find this value?
Regards,
--
Eduardo Otubo
IBM Linux Technology Center
On 01/28/2014 04:03 PM, Felix Geyer wrote:
On 28.01.2014 14:00, Eduardo Otubo wrote:
On 01/26/2014 10:21 AM, Felix Geyer wrote:
libusb calls timerfd_create() and timerfd_settime() when it's built with
timerfd support.
Command to reproduce:
qemu -sandbox on -monitor stdio -device piix3-usb
-monitor stdio -device intel-hda -device hda-duplex
If watched under strace the following syscalls are shown:
mkdir(/run/user/0/pulse, 0700)
fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]
Reported-by: xu...@redhat.com
Signed-off-by: Paul Moore pmo...@redhat.com
Acked-by: Eduardo
The following changes since commit 1cf892ca2689c84960b4ce4d2723b6bee453711c:
SPARC: Fix LEON3 power down instruction (2014-01-15 15:37:33 +1000)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
Paul Moore (2):
seccomp: add mkdir() and fchmod() to the
From: Paul Moore pmo...@redhat.com
PulseAudio requires the use of shared memory so add shmget(), shmat(),
and shmdt() to the syscall whitelist.
Reported-by: xu...@redhat.com
Signed-off-by: Paul Moore pmo...@redhat.com
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |5
},
{ SCMP_SYS(mkdir), 240 },
-{ SCMP_SYS(fchmod), 240 }
+{ SCMP_SYS(fchmod), 240 },
+{ SCMP_SYS(shmget), 240 },
+{ SCMP_SYS(shmat), 240 },
+{ SCMP_SYS(shmdt), 240 }
ACK.
--
Eduardo Otubo
IBM Linux Technology Center
to the whitelist
qemu-seccomp.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
Paul, sorry for the so late review. I was on vacation until yesterday
and I'm still trying to empty my inbox.
--
Eduardo Otubo
IBM Linux Technology Center
},
+{ SCMP_SYS(fchmod), 240 }
ACK.
--
Eduardo Otubo
IBM Linux Technology Center
be wrong?
perhaps interestingly package qemu-1.2.0-22.fc19.src.rpm
rpmbuild-comiles fine
best regards
--
Eduardo Otubo
IBM Linux Technology Center
The following changes since commit 2a13f991123fa16841e6d94b02a9cc2c76d91725:
seccomp: exit if seccomp_init() fails (2013-12-20 16:38:29 -0200)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
Corey Bryant (1):
seccomp: exit if seccomp_init() fails
From: Corey Bryant cor...@linux.vnet.ibm.com
This fixes a bug where we weren't exiting if seccomp_init() failed.
Signed-off-by: Corey Bryant cor...@linux.vnet.ibm.com
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Acked-by: Paul Moore pmo...@redhat.com
---
qemu-seccomp.c |1 +
1 files
..b7c1253 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -231,6 +231,7 @@ int seccomp_start(void)
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL) {
+rc = -1;
goto seccomp_return;
}
ACK.
Reviewed-by: Eduardo Otubo ot...@linux.vnet.ibm.com
--
Eduardo Otubo
distro will have audit log
working properly, I can start working on some support for virt-test to
detect if the host machine has support for seccomp or if the Qemu binary
has this feature built in.
Again, sorry for the mess. Please disconsider this patch.
--
Eduardo Otubo
IBM Linux Technology
with sandbox support: Libseccomp will fail - qemu will fail
nicely and won't stop execution.
2) Host kernel has support but Qemu package wasn't built with sandbox
feature. Qemu will fail nicely and won't stop execution.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
vl.c | 10
On 12/09/2013 03:33 PM, Daniel P. Berrange wrote:
On Mon, Dec 09, 2013 at 03:20:52PM -0200, Eduardo Otubo wrote:
This option was requested by virt-test team so they can run tests with
Qemu and -sandbox on set without breaking whole test if host doesn't
have support for seccomp in kernel
this is likely the next big
improvement.
That's the feature I'm currently working on right now. We'll see some
improvements in the future. :)
--
Eduardo Otubo
IBM Linux Technology Center
goal here is to use virt-test and audit log to eliminate
these sorts of things.
--
Eduardo Otubo
IBM Linux Technology Center
...@redhat.com
Signed-off-by: Paul Moore pmo...@redhat.com
Acked-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 69cee44..cf07869 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
Anthony,
The following changes since commit 7dc65c02fe3fb8f3146ce0b9ff5fec5945329f0e:
Open 2.0 development tree (2013-11-27 14:02:45 -0800)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
Paul Moore (1):
seccomp: add kill() to the syscall whitelist
send a pull request tomorrow EOD)
Reviewed-by: Eduardo Otubo ot...@linux.vnet.ibm.com
--
Eduardo Otubo
IBM Linux Technology Center
On 11/21/2013 01:48 PM, Paul Moore wrote:
On Thursday, November 21, 2013 04:14:11 PM Paolo Bonzini wrote:
Il 30/10/2013 11:04, Stefan Hajnoczi ha scritto:
On Wed, Oct 23, 2013 at 12:42:34PM -0200, Eduardo Otubo wrote:
On 10/22/2013 11:00 AM, Anthony Liguori wrote:
On Tue, Oct 22, 2013
On 10/22/2013 11:00 AM, Anthony Liguori wrote:
On Tue, Oct 22, 2013 at 12:21 PM, Eduardo Otubo
ot...@linux.vnet.ibm.com wrote:
Inverting the way sandbox handles arguments, making possible to have no
argument and still have '-sandbox on' enabled.
Signed-off-by: Eduardo Otubo ot
Inverting the way sandbox handles arguments, making possible to have no
argument and still have '-sandbox on' enabled.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
The option '-sandbox on' is now used by default by virt-test[0] -- it has been
merged into the 'next' branch
On 10/08/2013 11:05 PM, Eric Blake wrote:
On 10/08/2013 06:42 PM, Eduardo Otubo wrote:
v3: The -netdev tap option is checked in the vl.c file during the
process of the command line argument list. It sets tap_enabled to true
or false according to the configuration found. Later at the seccomp
On 10/08/2013 09:42 PM, Eduardo Otubo wrote:
v3: The options for blacklist in the command line also checkes the
existence of -netdev tap, leaving a warning message in a positive
case.
New command line options for the seccomp blacklist feature:
$ qemu -sandbox on[,strict=on|off]
The strict
On 09/11/2013 01:56 PM, Corey Bryant wrote:
On 09/06/2013 03:21 PM, Eduardo Otubo wrote:
1) On qemu-seccomp.c:255, the variable ctx was being used
uninitialized; now it's initialized with NULL and it's being checked at
the end of the function.
2) Changed the name of the command line
a system call blacklist right before the vcpus starts. This
filter is composed by the system calls that can't be executed after the
guests are up. This list should be refined as whitelist is, with as much
testing as we can do using virt-test.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
blacklist
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-options.hx | 8 +---
vl.c| 17 -
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/qemu-options.hx b/qemu-options.hx
index d15338e..05485e1 100644
--- a/qemu-options.hx
+++ b
1) On qemu-seccomp.c:255, the variable ctx was being used
uninitialized; now it's initialized with NULL and it's being checked at
the end of the function.
2) Changed the name of the command line option from enable to
sandbox for a better understanding from user side.
Signed-off-by: Eduardo
in their own commit messages.
The environment in which the second whitelist is installed seems to need less
system calls than the first, so the procedure here will be the same: Keep
testing with virt-test and get to the smallest list as possible.
Eduardo Otubo (3):
seccomp: adding blacklist
From: Eduardo Otubo ot...@linux.vnet.ibm.com
This was causing Qemu process to hang when using -sandbox on as
discribed on RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1004175
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Tested-by: Paul Moore pmo...@redhat.com
Acked-by: Paul Moore
Anthony,
The following changes since commit f828a4c8faa118e0ebab3e353ac6840f3b2a0318:
Merge remote-tracking branch 'stefanha/tracing' into staging (2013-09-23
11:53:22 -0500)
are available in the git repository at:
git://github.com/otubo/qemu.git seccomp
Eduardo Otubo (1):
seccomp
On 09/13/2013 11:45 AM, Paul Moore wrote:
On Wednesday, September 04, 2013 10:11:10 AM Paul Moore wrote:
On Wednesday, September 04, 2013 09:25:08 AM Eduardo Otubo wrote:
This was causing Qemu process to hang when using -sandbox on.
Related RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id
On 09/23/2013 04:53 PM, Paul Moore wrote:
On Wednesday, September 04, 2013 10:11:10 AM Paul Moore wrote:
On Wednesday, September 04, 2013 09:25:08 AM Eduardo Otubo wrote:
This was causing Qemu process to hang when using -sandbox on.
Related RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id
On 09/11/2013 01:49 PM, Daniel P. Berrange wrote:
On Wed, Sep 11, 2013 at 12:45:54PM -0400, Corey Bryant wrote:
On 09/06/2013 03:21 PM, Eduardo Otubo wrote:
New command line options for the seccomp blacklist feature:
$ qemu -sandbox on[,strict=on|off]
The strict parameter will turn
On 09/17/2013 11:43 AM, Paul Moore wrote:
On Tuesday, September 17, 2013 02:06:06 PM Daniel P. Berrange wrote:
On Tue, Sep 17, 2013 at 10:01:23AM -0300, Eduardo Otubo wrote:
Paul, what exactly are you planning to add to libvirt? I'm not a big
fan of using qemu command line to pass syscalls
On 09/17/2013 02:14 PM, Eduardo Otubo wrote:
On 09/17/2013 11:43 AM, Paul Moore wrote:
On Tuesday, September 17, 2013 02:06:06 PM Daniel P. Berrange wrote:
On Tue, Sep 17, 2013 at 10:01:23AM -0300, Eduardo Otubo wrote:
Paul, what exactly are you planning to add to libvirt? I'm not a big
On 09/17/2013 04:17 PM, Corey Bryant wrote:
On 09/17/2013 01:14 PM, Eduardo Otubo wrote:
On 09/17/2013 11:43 AM, Paul Moore wrote:
On Tuesday, September 17, 2013 02:06:06 PM Daniel P. Berrange wrote:
On Tue, Sep 17, 2013 at 10:01:23AM -0300, Eduardo Otubo wrote:
Paul, what exactly
On 09/09/2013 09:36 AM, Paul Moore wrote:
On Monday, September 09, 2013 12:38:12 PM Paolo Bonzini wrote:
Il 06/09/2013 20:41, Eduardo Otubo ha scritto:
Hello,
Any chance to get this patch applied?
Thanks!
Paul, perhaps you can add yourself to MAINTAINERS and send a pull request
Add myself to the MAINTAINERS file. I'll be looking at qemu-seccomp.c
and include/sysemu/seccomp.h.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
As discussed in previous threads, I'm including myself to the MAINTAINERS file
so I can take care of the sandbox feature in Qemu
Hello,
Any chance to get this patch applied?
Thanks!
On 09/04/2013 11:11 AM, Paul Moore wrote:
On Wednesday, September 04, 2013 09:25:08 AM Eduardo Otubo wrote:
This was causing Qemu process to hang when using -sandbox on.
Related RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id
New command line options for the seccomp blacklist feature:
$ qemu -sandbox on[,strict=on|off]
The strict parameter will turn on or off the new system call blacklist
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-options.hx | 8 +---
vl.c| 11 ++-
2
and do not
cause any damage to the general execution.
The environment in which the second whitelist is installed seems to need less
system calls than the first, so the procedure here will be the same: Keep
testing with virt-test and get to the smallest list as possible.
Eduardo Otubo (3):
seccomp
Adding a system call blacklist right before the vcpus starts. This filter is
composed by the system calls that can't be executed after the guests are up.
This list should be refined as the whitelist is, with as much testing as we can
do using virt-test.
Signed-off-by: Eduardo Otubo ot
1) On qemu-seccomp.c:255, the variable ctx was being used
uninitialized; now it's initialized with NULL and it's being checked at
the end of the function.
2) Changed the name of the command line option from enable to
sandbox for a better understanding from user side.
Signed-off-by: Eduardo
This was causing Qemu process to hang when using -sandbox on.
Related RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1004175
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/qemu-seccomp.c b/qemu
On 09/03/2013 03:02 PM, Corey Bryant wrote:
On 08/30/2013 10:21 AM, Eduardo Otubo wrote:
On 08/29/2013 05:34 AM, Stefan Hajnoczi wrote:
On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
Now there's a second whitelist, right before the vcpu starts. The
second
whitelist
On 09/03/2013 03:21 PM, Paul Moore wrote:
On Tuesday, September 03, 2013 02:08:28 PM Corey Bryant wrote:
On 09/03/2013 02:02 PM, Corey Bryant wrote:
On 08/30/2013 10:21 AM, Eduardo Otubo wrote:
On 08/29/2013 05:34 AM, Stefan Hajnoczi wrote:
On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo
On 08/29/2013 05:34 AM, Stefan Hajnoczi wrote:
On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
Now there's a second whitelist, right before the vcpu starts. The second
whitelist is the same as the first one, except for exec() and select().
-netdev tap,downscript=/path
On 08/29/2013 05:56 AM, Paolo Bonzini wrote:
Il 29/08/2013 10:34, Stefan Hajnoczi ha scritto:
On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
Now there's a second whitelist, right before the vcpu starts. The second
whitelist is the same as the first one, except for exec
On 08/29/2013 09:56 AM, Paul Moore wrote:
On Wednesday, August 28, 2013 10:04:32 PM Eduardo Otubo wrote:
Now there's a second whitelist, right before the vcpu starts. The second
whitelist is the same as the first one, except for exec() and select().
Signed-off-by: Eduardo Otubo ot
Now there's a second whitelist, right before the vcpu starts. The second
whitelist is the same as the first one, except for exec() and select().
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
The second whitelist is installed right before the vcpu starts, it contains all
the system
Any chance to get it pushed for 1.6? Thanks.
On 07/23/2013 04:43 AM, Paolo Bonzini wrote:
Il 22/07/2013 20:33, Eduardo Otubo ha scritto:
In this small patch series I basically:
v3 update:
- reincluded getrlimit(), it's used by Xen.
v2 update:
- set libseccomp 2.1.0 as requirement
/sbin/brctl addif switch $1
Signed-off-by: Paul Moore pmo...@redhat.com
As with the other fix, a gentle nudge so this isn't forgotten.
Reviewed and tested.
Reviewed-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion
this by
adding the two missing asynchronous I/O syscalls.
Signed-off-by: Paul Moore pmo...@redhat.com
A gentle nudge so this fix doesn't get forgotten.
Reviewed and tested.
Reviewed-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |2 ++
1 file changed, 2 insertions
v2 update:
- set libseccomp 2.1.0 as requirement on configure script.
Since libseccomp 2.0 there's no need to check the architecture type
anymore.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
configure | 2 +-
qemu-seccomp.c | 13 -
2 files changed, 1 insertion
weeks testing I could come up with this small list,
and safely remove them without breaking anything.
[0] - https://github.com/autotest/virt-test/wiki
Eduardo Otubo (2):
seccomp: no need to check arch in syscall whitelist
seccomp: removing unused syscalls gtom whitelist
configure | 2
v3 update:
- reincluding getrlimit(), it is used by Xen.
v2 update:
- reincluding setrlimit(), it is used by Xen.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c | 4
1 file changed, 4 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 1d5fd71
Ended up my tests were inconclusive. So removing this one from this patch.
Resubmited a v3 without it.
Thanks for pointing that.
On 07/16/2013 02:49 PM, Paolo Bonzini wrote:
Il 16/07/2013 19:45, Eduardo Otubo ha scritto:
-{ SCMP_SYS(ugetrlimit), 241 },
Xen uses getrlimit, not sure
On 07/18/2013 01:28 PM, Anthony Liguori wrote:
Eduardo Otubo ot...@linux.vnet.ibm.com writes:
Hello all,
In this small patch series I basically:
Cover letter should be marked [PATCH 0/2]. Otherwise it defeats
filtering.
Would like to see a Reviewed-by from someone before applying
On 07/15/2013 03:55 PM, Paul Moore wrote:
On Monday, July 15, 2013 02:29:37 PM Eduardo Otubo wrote:
Since libseccomp 2.0 there's no need to check the architecture type
anymore.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c | 13 -
1 file changed, 13
On 07/15/2013 05:57 PM, Paolo Bonzini wrote:
Il 15/07/2013 19:29, Eduardo Otubo ha scritto:
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 1d5fd71..bfd372a 100644
Hello all,
In this small patch series I basically:
v2 update:
- set libseccomp 2.1.0 as requirement on configure script.
- removed setrlimit and added sendfile64 to the whitelist.
1) Remove the ifdef's for the (not so) new libseccomp version that does
a
best effort and
v2 update:
- set libseccomp 2.1.0 as requirement on configure script.
Since libseccomp 2.0 there's no need to check the architecture type
anymore.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
configure |2 +-
qemu-seccomp.c | 13 -
2 files changed, 1
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c |6 --
1 files changed, 0 insertions(+), 6 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 1d5fd71..c44f0d8 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -108,7 +108,6 @@ static const struct
On 07/16/2013 02:49 PM, Paolo Bonzini wrote:
Il 16/07/2013 19:45, Eduardo Otubo ha scritto:
-{ SCMP_SYS(ugetrlimit), 241 },
Xen uses getrlimit, not sure what this one is. Perhaps glibc's wrapper
calls it?
It seems to be a glibc's wrapper, yes. Removing it anyway.
Why if Xen uses
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 1d5fd71..bfd372a 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -108,7 +108,6 @@ static const struct QemuSeccompSyscall
Since libseccomp 2.0 there's no need to check the architecture type
anymore.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c | 13 -
1 file changed, 13 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index ca123bf..1d5fd71 100644
--- a/qemu
Hello all,
In this small patch series I basically:
1) Remove the ifdef's for the (not so) new libseccomp version that does
a
best effort and translates x86_32 syscalls into x86_64 when possible.
2) Remove unused syscalls on the seccomp whitelist. For that removal, I've
been
Hello all,
In this small patch series I basically:
1) Remove the ifdef's for the (not so) new libseccomp version that does
a
best effort and translates x86_32 syscalls into x86_64 when possible.
2) Remove unused syscalls on the seccomp whitelist. For that removal, I've
been
Sorry for the problem on my keyboard:
on the subject, please do s/gtom/from
On 07/15/2013 02:29 PM, Eduardo Otubo wrote:
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
---
qemu-seccomp.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index
[-Werror=old-style-declaration]
cc1: all warnings being treated as errors
make: *** [audio/mixeng.o] Error 1
--
Eduardo Otubo
IBM Linux Technology Center
://pastebin.com/sXN8TYew
Thanks,
--
Eduardo Otubo
IBM Linux Technology Center
. Wouldn't be this a good
time to, perhaps, just think about a signal handling refactoring?
Regards,
--
Eduardo Otubo
IBM Linux Technology Center
On 04/29/2013 07:02 PM, Corey Bryant wrote:
On 04/29/2013 02:39 PM, Eduardo Otubo wrote:
On 04/26/2013 06:07 PM, Paul Moore wrote:
On Friday, April 26, 2013 03:39:33 PM Eduardo Otubo wrote:
Hello folks,
Resuming the sandboxing work, I'd like to ask for comments on the
ideias I have
On 04/26/2013 06:07 PM, Paul Moore wrote:
On Friday, April 26, 2013 03:39:33 PM Eduardo Otubo wrote:
Hello folks,
Resuming the sandboxing work, I'd like to ask for comments on the
ideias I have:
1. Reduce whitelist to the optimal subset: Run various tests on Qemu
with different
not unblock those
signals. Eduardo, can you submit a patch for that?
I sure can.
--
Eduardo Otubo
IBM Linux Technology Center
it. But not sure
if it worth the time spent. Would like to hear you guys.
Regards,
--
Eduardo Otubo
IBM Linux Technology Center
According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist when using Qemu with Libvirt.
[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162
Reported-by: Paul Moore pmo...@redhat.com
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Signed-off-by: Corey
Hello folks,
Does anyone had a chance to take a look at this? We would like to get
this into the 1.3 release.
Thanks again :)
On Mon, Nov 12, 2012 at 05:48:14PM -0200, Eduardo Otubo wrote:
According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist when using
.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Signed-off-by: Corey Bryant cor...@linux.vnet.ibm.com
---
hmp-commands.hx | 12 ++--
net/tap.c | 13 +
qemu-options.hx | 11 +--
qemu-seccomp.h |4 +++-
qmp-commands.hx |3 ++-
5 files changed
have access
to libseccomp packages, you can manually build with the following
steps:
1) git clone git://git.code.sf.net/p/libseccomp/libseccomp
2) cd libseccomp
3) ./configure
4) make
5) make install
6) export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
Signed-off-by: Eduardo Otubo ot
these after QEMU 1.3.
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Signed-off-by: Corey Bryant cor...@linux.vnet.ibm.com
---
qemu-seccomp.c | 252 +---
qemu-seccomp.h |2 +-
vl.c |9 +-
3 files changed, 251 insertions
on further tests.
* Added new syscalls with priority 241 that are unknown to be
used by QEMU. We'll attempt to remove these after QEMU 1.3.
Reported-by: Paul Moore pmo...@redhat.com
Signed-off-by: Eduardo Otubo ot...@linux.vnet.ibm.com
Signed-off-by: Corey Bryant cor...@linux.vnet.ibm.com
QEMU.
When the seccomp filter is configured with SCMP_ACT_TRAP, the
kernel sends a SIGSYS every time an illegal syscall is called.
The role of the debug mode is to handle the SIGSYS, determine
the illegal syscall, and print the syscall number to stderr.
v3: New in v3.
Signed-off-by: Eduardo Otubo ot
On Thu, Nov 01, 2012 at 05:43:03PM -0400, Paul Moore wrote:
On Tuesday, October 23, 2012 03:55:29 AM Eduardo Otubo wrote:
According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist whenn using Qemu with Libvirt.
[0] - https://bugzilla.redhat.com
On Tue, Oct 23, 2012 at 11:10:58AM -0400, Corey Bryant wrote:
On 10/23/2012 01:55 AM, Eduardo Otubo wrote:
This patch includes a second whitelist right before the main loop. It's
a smaller and more restricted whitelist, excluding execve() among many
others.
v2: * ctx changed
301 - 400 of 454 matches
Mail list logo