On 07/05/2018 - 11:29:57, Christian Borntraeger wrote: > On 05/07/2018 05:32 AM, Yi Min Zhao wrote: > > 1. Problem Description > > ====================== > > If QEMU is built without seccomp support, 'elevatorprivileges' remains > > compiled. > > This option of sandbox is treated as an indication for seccomp blacklist > > support > > in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and > > 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest > > startup would fail. > > Adding libvirt list. > > This would still fail with older QEMUs, so the question is if we should also > OR instead > change something in libvirt.
Perhaps I'm missing something here, but libvirt can differentiate between different versions of QEMU, therefore not calling it with wrong or outdated arguments. > > > > > 2. Libvirt Log > > ============== > > qemu-system-s390x: -sandbox > > on,obsolete=deny,elevateprivileges=deny,spawn=deny,\ > > resourcecontrol=deny: seccomp support is disabled > > > > 3. Fixup > > ======== > > Wrap the options except 'enable' for qemu_sandbox_opts by CONFIG_SECCOMP. > > > > Yi Min Zhao (1): > > sandbox: avoid to compile options if CONFIG_SECCOMP undefined > > > > vl.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > -- Eduardo Otubo
