Ján Tomko <jtomko@xxxxxxxxxx> writes:
> On a Friday in 2023, Markus Armbruster wrote:
>>> { "sandbox", NULL, QEMU_CAPS_SECCOMP_SANDBOX },
>>
>>Does option -sandbox exist?
>>
>>It does since v1.2. If CONFIG_SECCOMP is off, actually using it is a
>>fatal error. Compiling out the option entirely would be more useful, I
>>guess.
>>
>>Is this probe still useful?
>
> I believe so.
>
> libvirt adds '-sandbox on' to all VMs it runs, unless the option is not
> available.
>
> Some users wanted to run libvirt with QEMUs without libseccomp,
> which resulted in the following QEMU commit.
>
> commit 0dd693ef1f15b6e9c4ba8b0118663e10338077cf
> sandbox: disable -sandbox if CONFIG_SECCOMP undefined
>
> While using this option won't work if CONFIG_SECCOMP is off,
> it should not show up in q-c-l-o so libvirt won't even try to use it.
You're right: the option exists regardless of CONFIG_SECCOMP, but it
shows up in q-c-l-o only when CONFIG_SECCOMP is on.
> If I'm reading
> commit 90835c2b8127406615785a9d4348ffdf3c813c8a
> seccomp: convert to meson
> correctly, then the whole softmmu/qemu-seccomp.c file is only compiled
> if seccomp was found.
>
> Jano
