motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-07 17:53:56 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

seccomp: add spawn argument to command line

Browse source 
This patch adds [,spawn=deny] argument to `-sandbox on' option. It
blacklists fork and execve system calls, avoiding Qemu to spawn new
threads or processes.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
This commit is contained in:
Eduardo Otubo 2017-03-13 22:16:01 +01:00
parent 73a1e64725
commit 995a226f88
4 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
qemu-seccomp.c
View file

@ -78,6 +78,10 @@ static const struct QemuSeccompSyscall blacklist[] = {
{ SCMP_SYS(setresgid), QEMU_SECCOMP_SET_PRIVILEGED },
{ SCMP_SYS(setfsuid), QEMU_SECCOMP_SET_PRIVILEGED },
{ SCMP_SYS(setfsgid), QEMU_SECCOMP_SET_PRIVILEGED },
/* spawn */
{ SCMP_SYS(fork), QEMU_SECCOMP_SET_SPAWN },
{ SCMP_SYS(vfork), QEMU_SECCOMP_SET_SPAWN },
{ SCMP_SYS(execve), QEMU_SECCOMP_SET_SPAWN },
};