• Philipp Gesang's avatar
    seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch() · f73adec7
    Philipp Gesang authored
    fallocate() is needed for snapshotting. If it isn’t whitelisted
    
        $ qemu-img create -f qcow2 x.qcow 1G
        Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off
        $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
        QEMU 2.1.50 monitor - type 'help' for more information
        (qemu) savevm foo
        (qemu) loadvm foo
    
    will fail, as will subsequent savevm commands on the same image.
    
    fadvise64(), inotify_init1(), inotify_add_watch() are needed by
    the SDL display. Without the whitelist entries,
    
        qemu-kvm -sandbox on
    
    fails immediately.
    
    In my tests fadvise64() is called 50--51 times per VM run. That
    number seems independent of the duration of the run. fallocate(),
    inotify_init1(), inotify_add_watch() are called once each.
    Accordingly, they are added to the whitelist at a very low
    priority.
    Signed-off-by: default avatarPhilipp Gesang <philipp.gesang@intra2net.com>
    Signed-off-by: default avatarEduardo Otubo <eduardo.otubo@profitbricks.com>
    f73adec7
qemu-seccomp.c 8.28 KB