Re: [libvirt] libseccomp and KVM
Thanks.
2014-12-12 16:32 GMT+01:00 Daniel P. Berrange <berrange(a)redhat.com>:
On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
> Thanks.
>
> How are the rules managed so as to fit the VM system calls?
> Is tuning possible? recommended?
QEMU has a built-in policy that adds rules for every conceivable
function that QEMU might need to execute. Given that is quite
broad, the security benefit from seccomp enablement is quit low
IMHO
I see.
Is it something like each QEMU device enabled comes along with a
system-calls list ie. rules allowed?
Is this list of rules loaded at each time the QEMU/KVM starts?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/
:|
|: http://libvirt.org -o- http://virt-manager.org
:|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/
:|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc
:|
Regards,
Attachments:
- attachment.html (text/html — 2.1 KB)