seccomp: changing from whitelist to blacklist

This patch changes the default behavior of the seccomp filter from whitelist to blacklist. By default now all system calls are allowed and a small black list of definitely forbidden ones was created. Signed-off-by: Eduardo Otubo <otubo@redhat.com>
author: Eduardo Otubo <otubo@redhat.com> 2017-02-28 21:13:12 +0100
committer: Eduardo Otubo <otubo@redhat.com> 2017-09-15 10:13:35 +0200
commit: 1bd6152ae23549032ef4aca0d3d350512f012f05 (patch)
tree: f3f5a4509e206f1e529953b48232b50e5099f8e8 /vl.c
parent: 3dabde1128b671f36ac6cb36b97b273139964420 (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/vl.c b/vl.c
index fb1f05b937..76e0b3a946 100644
--- a/vl.c
+++ b/vl.c
@@ -1032,7 +1032,6 @@ static int bt_parse(const char *opt)
 
 static int parse_sandbox(void *opaque, QemuOpts *opts, Error **errp)
 {
-    /* FIXME: change this to true for 1.3 */
     if (qemu_opt_get_bool(opts, "enable", false)) {
 #ifdef CONFIG_SECCOMP
         if (seccomp_start() < 0) {
author	Eduardo Otubo <otubo@redhat.com>	2017-02-28 21:13:12 +0100
committer	Eduardo Otubo <otubo@redhat.com>	2017-09-15 10:13:35 +0200
commit	1bd6152ae23549032ef4aca0d3d350512f012f05 (patch)
tree	f3f5a4509e206f1e529953b48232b50e5099f8e8 /vl.c
parent	3dabde1128b671f36ac6cb36b97b273139964420 (diff)