Commit 1bd6152a authored by Eduardo Otubo's avatar Eduardo Otubo

seccomp: changing from whitelist to blacklist

This patch changes the default behavior of the seccomp filter from
whitelist to blacklist. By default now all system calls are allowed and
a small black list of definitely forbidden ones was created.
Signed-off-by: 's avatarEduardo Otubo <otubo@redhat.com>
parent 3dabde11
......@@ -15,6 +15,8 @@
#ifndef QEMU_SECCOMP_H
#define QEMU_SECCOMP_H
#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)
#include <seccomp.h>
int seccomp_start(void);
......
This diff is collapsed.
......@@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt)
static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
{
/* FIXME: change this to true for 1.3 */
if (qemu_opt_get_bool(opts, "enable", false)) {
#ifdef CONFIG_SECCOMP
if (seccomp_start() < 0) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment