<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/12/2014 12:13 PM, Raymond Durand
wrote:<br>
</div>
<blockquote
cite="mid:CAOWAew1JUnib4zQzS9DNXtnditT4HuU-HMpNvNTttjGWOv6aoQ@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks.<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-12-12 17:06 GMT+01:00 Stefan
Berger <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:stefanb@linux.vnet.ibm.com" target="_blank">stefanb@linux.vnet.ibm.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 12/12/2014 10:32 AM, Daniel P. Berrange
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond
Durand wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks.<br>
<br>
How are the rules managed so as to fit the VM system
calls?<br>
Is tuning possible? recommended?<br>
</blockquote>
QEMU has a built-in policy that adds rules for every
conceivable<br>
function that QEMU might need to execute. Given that
is quite<br>
broad, the security benefit from seccomp enablement is
quit low<br>
IMHO <br>
</blockquote>
</span></blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
</blockquote>
<br>
</span>
Base code and (active) devices would each have to report
what syscalls they need so this list could be reduced to
the minimum ...<br>
</blockquote>
<div><br>
</div>
<div>"Could be reduced": how? do you have in mind by
selecting the appropriate active devices at the
initialization time?<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
The difficulty would be to determine which devices require which
syscalls beyond what 'base' QEMU needs (= QEMU without devices). So
one would have to use QEMU with one device after another and see
which new syscalls are required due to a specific device (syscall
auditing), then add the array of syscalls to a device's TypeInfo
structure and collect them this way. If a device's code was to
change, you'd have to do it again. So I think it would be a lot of
work all the time.<br>
<br>
Stefan<br>
<br>
<blockquote
cite="mid:CAOWAew1JUnib4zQzS9DNXtnditT4HuU-HMpNvNTttjGWOv6aoQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Stefan<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Regards,<br>
Daniel<br>
</blockquote>
<br>
--<br>
libvir-list mailing list<br>
<a moz-do-not-send="true"
href="mailto:libvir-list@redhat.com" target="_blank">libvir-list@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/libvir-list"
target="_blank">https://www.redhat.com/mailman/listinfo/libvir-list</a><br>
</blockquote>
<div><br>
</div>
<div>Regards, <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>