Re: libseccomp and KVM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks.

2014-12-12 17:06 GMT+01:00 Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>:
On 12/12/2014 10:32 AM, Daniel P. Berrange wrote:
On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
Thanks.

How are the rules managed so as to fit the VM system calls?
Is tuning possible? recommended?
QEMU has a built-in policy that adds rules for every conceivable
function that QEMU might need to execute. Given that is quite
broad, the security benefit from seccomp enablement is quit low
IMHO

Base code and (active) devices would each have to report what syscalls they need so this list could be reduced to the minimum ...

"Could be reduced": how? do you have in mind by selecting the appropriate active devices at the initialization time?
 

    Stefan

Regards,
Daniel

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

Regards, 
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]