diff options
| author | Peter Maydell | 2016-04-18 11:22:43 +0200 |
|---|---|---|
| committer | Peter Maydell | 2016-04-18 11:22:44 +0200 |
| commit | adde0204e4edbebfeb77d244cad7d9d8be7ed7e0 (patch) | |
| tree | fd0a7216a76e50dad342931fbf3e9379651b2f79 | |
| parent | Merge remote-tracking branch 'remotes/weil/tags/pull-wxx-20160415' into staging (diff) | |
| parent | seccomp: adding sysinfo system call to whitelist (diff) | |
| download | qemu-adde0204e4edbebfeb77d244cad7d9d8be7ed7e0.tar.gz qemu-adde0204e4edbebfeb77d244cad7d9d8be7ed7e0.tar.xz qemu-adde0204e4edbebfeb77d244cad7d9d8be7ed7e0.zip | |
Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20160416' into staging
seccomp branch queue
# gpg: Signature made Sat 16 Apr 2016 19:58:46 BST using RSA key ID 12F8BD2F
# gpg: Good signature from "Eduardo Otubo (Software Engineer @ ProfitBricks) <eduardo.otubo@profitbricks.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 1C96 46B6 E1D1 C38A F2EC 3FDE FD0C FF5B 12F8 BD2F
* remotes/otubo/tags/pull-seccomp-20160416:
seccomp: adding sysinfo system call to whitelist
seccomp: Whitelist cacheflush since 2.2.0 not 2.2.3
configure: Enable seccomp sandbox for MIPS
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rwxr-xr-x | configure | 3 | ||||
| -rw-r--r-- | qemu-seccomp.c | 9 |
2 files changed, 9 insertions, 3 deletions
@@ -1872,6 +1872,9 @@ if test "$seccomp" != "no" ; then i386|x86_64) libseccomp_minver="2.1.0" ;; + mips) + libseccomp_minver="2.2.0" + ;; arm|aarch64) libseccomp_minver="2.2.3" ;; diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 2866e3c2a6..cb569dc058 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -16,11 +16,13 @@ #include <seccomp.h> #include "sysemu/seccomp.h" +/* For some architectures (notably ARM) cacheflush is not supported until + * libseccomp 2.2.3, but configure enforces that we are using a more recent + * version on those hosts, so it is OK for this check to be less strict. + */ #if SCMP_VER_MAJOR >= 3 #define HAVE_CACHEFLUSH -#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 3 - #define HAVE_CACHEFLUSH -#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 2 && SCMP_VER_MICRO >= 3 +#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 2 #define HAVE_CACHEFLUSH #endif @@ -250,6 +252,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { #ifdef HAVE_CACHEFLUSH { SCMP_SYS(cacheflush), 240 }, #endif + { SCMP_SYS(sysinfo), 240 }, }; int seccomp_start(void) |