On Wed, Mar 13, 2019 at 03:43:13PM -0400, Stefan Berger wrote: > Hello! > > If you have some feedback regarding a seccomp profile extension for swtpm > for v0.2, please let me know. I created this github issue here: > > > https://github.com/stefanberger/swtpm/issues/115 > > > Basically the choice is whether to make the creation of the seccomp profile > a default behavior or have the caller explicitly pass the '--seccomp > profile=default' on the command line, which then in turn would require > libvirt for example to check whether this current version of swtpm supports > the feature either by swtpm version or by strstr() the help page. In QEMU we can't enable seccomp by default because its wide range of features means any default profile would be effectively useless. Libvirt knows that it uses a restricted set of QEMU features, so it can enable a more useful seccomp by default. I think swtpm won't have this complexity problem. Its functionality is relatively narrow & well understood & so it is practical to define a good seccomp profile & use that by default. So personally I'd merely provide an opt-out to turn it off unless you think this is likely to break something important. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
