Re: [libvirt] libseccomp and KVM
Thanks.
2014-12-12 17:06 GMT+01:00 Stefan Berger <stefanb(a)linux.vnet.ibm.com>:
On 12/12/2014 10:32 AM, Daniel P. Berrange wrote:
> On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
>
>> Thanks.
>>
>> How are the rules managed so as to fit the VM system calls?
>> Is tuning possible? recommended?
>>
> QEMU has a built-in policy that adds rules for every conceivable
> function that QEMU might need to execute. Given that is quite
> broad, the security benefit from seccomp enablement is quit low
> IMHO
>
Base code and (active) devices would each have to report what syscalls
they need so this list could be reduced to the minimum ...
"Could be reduced": how? do you have in mind by selecting the appropriate
active devices at the initialization time?
Stefan
Regards,
> Daniel
>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Regards,
Attachments:
- attachment.html (text/html — 2.2 KB)