Thanks.
2014-12-12 16:32 GMT+01:00 Daniel P. Berrange <berrange@xxxxxxxxxx>:
I see.
Is it something like each QEMU device enabled comes along with a system-calls list ie. rules allowed?
Is this list of rules loaded at each time the QEMU/KVM starts?
On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
> Thanks.
>
> How are the rules managed so as to fit the VM system calls?
> Is tuning possible? recommended?
QEMU has a built-in policy that adds rules for every conceivable
function that QEMU might need to execute. Given that is quite
broad, the security benefit from seccomp enablement is quit low
IMHO
I see.
Is it something like each QEMU device enabled comes along with a system-calls list ie. rules allowed?
Is this list of rules loaded at each time the QEMU/KVM starts?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Regards,
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list