From 73a1e647256b09734ce64ef7a6001a0db03f7106 Mon Sep 17 00:00:00 2001
From: Eduardo Otubo
Date: Mon, 13 Mar 2017 22:13:27 +0100
Subject: seccomp: add elevateprivileges argument to command line

This patch introduces the new argument
[,elevateprivileges=allow|deny|children] to the `-sandbox on'. It allows
or denies Qemu process to elevate its privileges by blacklisting all
set*uid|gid system calls. The 'children' option will let forks and
execves run unprivileged.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
---
 include/sysemu/seccomp.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include')

diff --git a/include/sysemu/seccomp.h b/include/sysemu/seccomp.h
index 215138a372..4a9e63c7cd 100644
--- a/include/sysemu/seccomp.h
+++ b/include/sysemu/seccomp.h
@@ -17,6 +17,7 @@
 
 #define QEMU_SECCOMP_SET_DEFAULT     (1 << 0)
 #define QEMU_SECCOMP_SET_OBSOLETE    (1 << 1)
+#define QEMU_SECCOMP_SET_PRIVILEGED  (1 << 2)
 
 #include <seccomp.h>
 
-- 
cgit v1.2.3-55-g7522