On 08/29/2013 05:56 AM, Paolo Bonzini wrote:
Il 29/08/2013 10:34, Stefan Hajnoczi ha scritto:
On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
Now there's a second whitelist, right before the vcpu starts. The second
whitelist is the same as the first one, except for exec() and select().
-netdev tap,downscript=/path/to/script requires exec() in the QEMU
shutdown code path. Will this work with seccomp?
It won't by design (seccomp is supposed to run with file descriptor
passing).
However, removing select() seems a bit risky. We cannot exclude that
external libraries are not using it instead of, say, poll.
BTW, recent QEMU is using ppoll instead of poll; does the whitelist
require an update?
It might need some update, yes. I'll run some other tests with this
specific syscall and, if needed, I'll send another patch for the
whitelist update.
Thanks for pointing that, Paolo.
Paolo
--
Eduardo Otubo
IBM Linux Technology Center
