[libvirt] libseccomp and KVM
Raymond Durand
secalf at gmail.com
Fri Dec 12 17:13:15 UTC 2014
Thanks.
2014-12-12 17:06 GMT+01:00 Stefan Berger <stefanb at linux.vnet.ibm.com>:
>
> On 12/12/2014 10:32 AM, Daniel P. Berrange wrote:
>
>> On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
>>
>>> Thanks.
>>>
>>> How are the rules managed so as to fit the VM system calls?
>>> Is tuning possible? recommended?
>>>
>> QEMU has a built-in policy that adds rules for every conceivable
>> function that QEMU might need to execute. Given that is quite
>> broad, the security benefit from seccomp enablement is quit low
>> IMHO
>>
>
> Base code and (active) devices would each have to report what syscalls
> they need so this list could be reduced to the minimum ...
>
"Could be reduced": how? do you have in mind by selecting the appropriate
active devices at the initialization time?
>
> Stefan
>
> Regards,
>> Daniel
>>
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141212/4fb2273b/attachment-0001.htm>
More information about the libvir-list
mailing list