From: Ján Tomko <jtomko@redhat.com>
Date: Fri, 24 Sep 2021 14:04:30 +0000 (+0200)
Subject: qemu: always assume QEMU_CAPS_SECCOMP_BLACKLIST
X-Git-Tag: v7.8.0-rc1~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=142938f5c227997c395695fd9e353f1b293a4d96;p=thirdparty%2Flibvirt.git

qemu: always assume QEMU_CAPS_SECCOMP_BLACKLIST

elevateprivileges was introduced by QEMU commit:
73a1e64725 "seccomp: add elevateprivileges argument to command line"
released in 2.11.0
and later made conditional on SECCOMP support by:
9d0fdecbad sandbox: disable -sandbox if CONFIG_SECCOMP undefined

Use the existence of the sandbox option as a witness for its support.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index b60ee1192b..fa9998a191 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -10120,7 +10120,7 @@ qemuBuildSeccompSandboxCommandLine(virCommand *cmd,
     }
 
     /* Use blacklist by default if supported */
-    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_BLACKLIST)) {
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SECCOMP_SANDBOX)) {
         virCommandAddArgList(cmd, "-sandbox",
                              "on,obsolete=deny,elevateprivileges=deny,"
                              "spawn=deny,resourcecontrol=deny",