[libvirt] libseccomp and KVM
Stefan Berger
stefanb at linux.vnet.ibm.com
Fri Dec 12 16:06:44 UTC 2014
On 12/12/2014 10:32 AM, Daniel P. Berrange wrote:
> On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
>> Thanks.
>>
>> How are the rules managed so as to fit the VM system calls?
>> Is tuning possible? recommended?
> QEMU has a built-in policy that adds rules for every conceivable
> function that QEMU might need to execute. Given that is quite
> broad, the security benefit from seccomp enablement is quit low
> IMHO
Base code and (active) devices would each have to report what syscalls
they need so this list could be reduced to the minimum ...
Stefan
> Regards,
> Daniel
More information about the libvir-list
mailing list