diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2016-04-18 10:22:43 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2016-04-18 10:22:44 +0100 |
| commit | adde0204e4edbebfeb77d244cad7d9d8be7ed7e0 (patch) | |
| tree | fd0a7216a76e50dad342931fbf3e9379651b2f79 | |
| parent | c6c598ca5fba68fbd6612f3330c4015142f2f86a (diff) | |
| parent | 8e08f8a4a7f613af65b29fcc3ac3bfc2a08a3343 (diff) | |
| download | focaccia-qemu-adde0204e4edbebfeb77d244cad7d9d8be7ed7e0.tar.gz focaccia-qemu-adde0204e4edbebfeb77d244cad7d9d8be7ed7e0.zip | |
Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20160416' into staging
seccomp branch queue # gpg: Signature made Sat 16 Apr 2016 19:58:46 BST using RSA key ID 12F8BD2F # gpg: Good signature from "Eduardo Otubo (Software Engineer @ ProfitBricks) <eduardo.otubo@profitbricks.com>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 1C96 46B6 E1D1 C38A F2EC 3FDE FD0C FF5B 12F8 BD2F * remotes/otubo/tags/pull-seccomp-20160416: seccomp: adding sysinfo system call to whitelist seccomp: Whitelist cacheflush since 2.2.0 not 2.2.3 configure: Enable seccomp sandbox for MIPS Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to '')
| -rwxr-xr-x | configure | 3 | ||||
| -rw-r--r-- | qemu-seccomp.c | 9 |
2 files changed, 9 insertions, 3 deletions
diff --git a/configure b/configure index 5db29f0245..f1c307bfc6 100755 --- a/configure +++ b/configure @@ -1872,6 +1872,9 @@ if test "$seccomp" != "no" ; then i386|x86_64) libseccomp_minver="2.1.0" ;; + mips) + libseccomp_minver="2.2.0" + ;; arm|aarch64) libseccomp_minver="2.2.3" ;; diff --git a/qemu-seccomp.c b/qemu-seccomp.c index 2866e3c2a6..cb569dc058 100644 --- a/qemu-seccomp.c +++ b/qemu-seccomp.c @@ -16,11 +16,13 @@ #include <seccomp.h> #include "sysemu/seccomp.h" +/* For some architectures (notably ARM) cacheflush is not supported until + * libseccomp 2.2.3, but configure enforces that we are using a more recent + * version on those hosts, so it is OK for this check to be less strict. + */ #if SCMP_VER_MAJOR >= 3 #define HAVE_CACHEFLUSH -#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 3 - #define HAVE_CACHEFLUSH -#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 2 && SCMP_VER_MICRO >= 3 +#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 2 #define HAVE_CACHEFLUSH #endif @@ -250,6 +252,7 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { #ifdef HAVE_CACHEFLUSH { SCMP_SYS(cacheflush), 240 }, #endif + { SCMP_SYS(sysinfo), 240 }, }; int seccomp_start(void) |