add support for "sandbox" feature to qemu

Update the govmm code in order to support "sandbox" feature on qemu,
which can introduce another protect layer on the host,
to make the secure container more secure.

Fixes: #185

Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>

qemu/qemu.go

@@ -2448,6 +2448,9 @@ type Config struct {
 	// CPUModel is the CPU model to be used by qemu.
 	CPUModel string
 
+	// SeccompSandbox is the qemu function which enables the seccomp feature
+	SeccompSandbox string
+
 	// Machine
 	Machine Machine
 
@@ -2524,6 +2527,13 @@ func (config *Config) appendFDs(fds []*os.File) []int {
 	return fdInts
 }
 
+func (config *Config) appendSeccompSandbox() {
+	if config.SeccompSandbox != "" {
+		config.qemuParams = append(config.qemuParams, "-sandbox")
+		config.qemuParams = append(config.qemuParams, config.SeccompSandbox)
+	}
+}
+
 func (config *Config) appendName() {
 	if config.Name != "" {
 		config.qemuParams = append(config.qemuParams, "-name")
@@ -2877,6 +2887,7 @@ func LaunchQemu(config Config, logger QMPLog) (string, error) {
 	config.appendPidFile()
 	config.appendLogFile()
 	config.appendFwCfg(logger)
+	config.appendSeccompSandbox()
 
 	if err := config.appendCPUs(); err != nil {
 		return "", err

qemu/qemu_test.go

@@ -1072,6 +1072,25 @@ func TestValidPFlash(t *testing.T) {
 	}
 }
 
+func TestBadSeccompSandbox(t *testing.T) {
+	c := &Config{}
+	c.appendSeccompSandbox()
+	if len(c.qemuParams) != 0 {
+		t.Errorf("Expected empty qemuParams, found %s", c.qemuParams)
+	}
+}
+
+func TestValidSeccompSandbox(t *testing.T) {
+	c := &Config{}
+	c.SeccompSandbox = string("on,obsolete=deny")
+	c.appendSeccompSandbox()
+	expected := []string{"-sandbox", "on,obsolete=deny"}
+	ok := reflect.DeepEqual(expected, c.qemuParams)
+	if !ok {
+		t.Errorf("Expected %v, found %v", expected, c.qemuParams)
+	}
+}
+
 func TestBadVGA(t *testing.T) {
 	c := &Config{}
 	c.appendVGA()