On 08.09.2017 13:44, Eduardo Otubo wrote: > This patch introduces the new argument > [,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows > or denies Qemu process to elevate its privileges by blacklisting all > set*uid|gid system calls. The 'children' option will let forks and > execves run unprivileged. > > Signed-off-by: Eduardo Otubo <ot...@redhat.com> > --- > include/sysemu/seccomp.h | 1 + > qemu-options.hx | 12 +++++++++--- > qemu-seccomp.c | 11 +++++++++++ > vl.c | 27 +++++++++++++++++++++++++++ > 4 files changed, 48 insertions(+), 3 deletions(-)
Reviewed-by: Thomas Huth <th...@redhat.com>
