qemu/include/sysemu/seccomp.h
Eduardo Otubo 24f8cdc572 seccomp: add resourcecontrol argument to command line
This patch adds [,resourcecontrol=deny] to `-sandbox on' option. It
blacklists all process affinity and scheduler priority system calls to
avoid any bigger of the process.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
2017-09-15 10:15:06 +02:00

28 lines
749 B
C

/*
* QEMU seccomp mode 2 support with libseccomp
*
* Copyright IBM, Corp. 2012
*
* Authors:
* Eduardo Otubo <eotubo@br.ibm.com>
*
* This work is licensed under the terms of the GNU GPL, version 2. See
* the COPYING file in the top-level directory.
*
* Contributions after 2012-01-13 are licensed under the terms of the
* GNU GPL, version 2 or (at your option) any later version.
*/
#ifndef QEMU_SECCOMP_H
#define QEMU_SECCOMP_H
#define QEMU_SECCOMP_SET_DEFAULT (1 << 0)
#define QEMU_SECCOMP_SET_OBSOLETE (1 << 1)
#define QEMU_SECCOMP_SET_PRIVILEGED (1 << 2)
#define QEMU_SECCOMP_SET_SPAWN (1 << 3)
#define QEMU_SECCOMP_SET_RESOURCECTL (1 << 4)
#include <seccomp.h>
int seccomp_start(uint32_t seccomp_opts);
#endif