seccomp: add spawn argument to command line

This patch adds [,spawn=deny] argument to `-sandbox on' option. It blacklists fork and execve system calls, avoiding Qemu to spawn new threads or processes. Signed-off-by: Eduardo Otubo <otubo@redhat.com>
2025-08-08 18:23:57 -06:00 · 2017-03-13 22:16:01 +01:00 · 2017-03-13 22:16:01 +01:00 · 995a226f88
commit 995a226f88
parent 73a1e64725
4 changed files with 28 additions and 2 deletions
--- a/include/sysemu/seccomp.h
+++ b/include/sysemu/seccomp.h
@ -18,6 +18,7 @@
 #define QEMU_SECCOMP_SET_DEFAULT     (1 << 0)
 #define QEMU_SECCOMP_SET_OBSOLETE    (1 << 1)
 #define QEMU_SECCOMP_SET_PRIVILEGED  (1 << 2)
+#define QEMU_SECCOMP_SET_SPAWN       (1 << 3)

 #include <seccomp.h>