qemu: conf: add seccomp_sandbox option

src/qemu/libvirtd_qemu.aug

@@ -50,6 +50,7 @@ module Libvirtd_qemu =
                  | bool_entry "dynamic_ownership"
                  | str_array_entry "cgroup_controllers"
                  | str_array_entry "cgroup_device_acl"
+                 | int_entry "seccomp_sandbox"
 
    let save_entry =  str_entry "save_image_format"
                  | str_entry "dump_image_format"

src/qemu/qemu.conf

@@ -378,3 +378,11 @@
 #
 #keepalive_interval = 5
 #keepalive_count = 5
+
+
+
+# Use seccomp syscall whitelisting in QEMU.
+# 1 = on, 0 = off, -1 = use QEMU default
+# Defaults to -1.
+#
+#seccomp_sandbox = 1

src/qemu/qemu_conf.c

@@ -129,6 +129,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
 
     driver->keepAliveInterval = 5;
     driver->keepAliveCount = 5;
+    driver->seccompSandbox = -1;
 
     /* Just check the file is readable before opening it, otherwise
      * libvirt emits an error.
@@ -570,6 +571,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
     CHECK_TYPE("keepalive_count", VIR_CONF_LONG);
     if (p) driver->keepAliveCount = p->l;
 
+    p = virConfGetValue(conf, "seccomp_sandbox");
+    CHECK_TYPE("seccomp_sandbox", VIR_CONF_LONG);
+    if (p) driver->seccompSandbox = p->l;
+
     virConfFree (conf);
     return 0;
 }

src/qemu/qemu_conf.h

@@ -152,6 +152,7 @@ struct qemud_driver {
 
     int keepAliveInterval;
     unsigned int keepAliveCount;
+    int seccompSandbox;
 };
 
 typedef struct _qemuDomainCmdlineDef qemuDomainCmdlineDef;