[libvirt] libseccomp and KVM
Raymond Durand
secalf at gmail.com
Fri Dec 12 17:12:40 UTC 2014
Thanks.
2014-12-12 16:32 GMT+01:00 Daniel P. Berrange <berrange at redhat.com>:
>
> On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
> > Thanks.
> >
> > How are the rules managed so as to fit the VM system calls?
> > Is tuning possible? recommended?
>
> QEMU has a built-in policy that adds rules for every conceivable
> function that QEMU might need to execute. Given that is quite
> broad, the security benefit from seccomp enablement is quit low
> IMHO
>
>
I see.
Is it something like each QEMU device enabled comes along with a
system-calls list ie. rules allowed?
Is this list of rules loaded at each time the QEMU/KVM starts?
> Regards,
> Daniel
> --
> |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/
> :|
> |: http://libvirt.org -o- http://virt-manager.org
> :|
> |: http://autobuild.org -o- http://search.cpan.org/~danberr/
> :|
> |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc
> :|
>
Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141212/1e2c8f06/attachment-0001.htm>
More information about the libvir-list
mailing list