On Wednesday, May 29, 2013 04:30:01 PM Paul Moore wrote:
> In order to enable the asynchronous I/O functionality when using the
> seccomp sandbox we need to add the associated syscalls to the
> whitelist.
>
> Signed-off-by: Paul Moore <pmo...@redhat.com>
> ---
> qemu-seccomp.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/qemu-seccomp.c b/qemu-seccomp.c
> index 031da1d..ca123bf 100644
> --- a/qemu-seccomp.c
> +++ b/qemu-seccomp.c
> @@ -87,6 +87,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[]
> = { { SCMP_SYS(stat), 245 },
> { SCMP_SYS(uname), 245 },
> { SCMP_SYS(eventfd2), 245 },
> + { SCMP_SYS(io_getevents), 245 },
> { SCMP_SYS(dup), 245 },
> { SCMP_SYS(dup2), 245 },
> { SCMP_SYS(dup3), 245 },
> @@ -229,7 +230,9 @@ static const struct QemuSeccompSyscall
> seccomp_whitelist[] = { { SCMP_SYS(sendmmsg), 241 },
> { SCMP_SYS(recvmmsg), 241 },
> { SCMP_SYS(prlimit64), 241 },
> - { SCMP_SYS(waitid), 241 }
> + { SCMP_SYS(waitid), 241 },
> + { SCMP_SYS(io_setup), 241 },
> + { SCMP_SYS(io_destroy), 241 }
> };
>
> int seccomp_start(void)
Any reason this patch wasn't pulled in for 1.5.1?
--
paul moore
security and virtualization @ redhat
