[libvirt] libseccomp and KVM
Stefan Berger
stefanb at linux.vnet.ibm.com
Sun Dec 14 14:01:25 UTC 2014
On 12/12/2014 12:13 PM, Raymond Durand wrote:
> Thanks.
>
> 2014-12-12 17:06 GMT+01:00 Stefan Berger <stefanb at linux.vnet.ibm.com
> <mailto:stefanb at linux.vnet.ibm.com>>:
>
> On 12/12/2014 10:32 AM, Daniel P. Berrange wrote:
>
> On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
>
> Thanks.
>
> How are the rules managed so as to fit the VM system calls?
> Is tuning possible? recommended?
>
> QEMU has a built-in policy that adds rules for every conceivable
> function that QEMU might need to execute. Given that is quite
> broad, the security benefit from seccomp enablement is quit low
> IMHO
>
>
> Base code and (active) devices would each have to report what
> syscalls they need so this list could be reduced to the minimum ...
>
>
> "Could be reduced": how? do you have in mind by selecting the
> appropriate active devices at the initialization time?
The difficulty would be to determine which devices require which
syscalls beyond what 'base' QEMU needs (= QEMU without devices). So one
would have to use QEMU with one device after another and see which new
syscalls are required due to a specific device (syscall auditing), then
add the array of syscalls to a device's TypeInfo structure and collect
them this way. If a device's code was to change, you'd have to do it
again. So I think it would be a lot of work all the time.
Stefan
>
> Stefan
>
> Regards,
> Daniel
>
>
> --
> libvir-list mailing list
> libvir-list at redhat.com <mailto:libvir-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/libvir-list
>
>
> Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141214/afdf47c8/attachment-0001.htm>
More information about the libvir-list
mailing list