Re: [libvirt] Seccomp profile for swtpm as default
On 3/14/19 5:59 AM, Daniel P. Berrangé wrote:
On Wed, Mar 13, 2019 at 03:43:13PM -0400, Stefan Berger wrote:
> Hello!
>
> If you have some feedback regarding a seccomp profile extension for swtpm
> for v0.2, please let me know. I created this github issue here:
>
>
> https://github.com/stefanberger/swtpm/issues/115
>
>
> Basically the choice is whether to make the creation of the seccomp profile
> a default behavior or have the caller explicitly pass the '--seccomp
> profile=default' on the command line, which then in turn would require
> libvirt for example to check whether this current version of swtpm supports
> the feature either by swtpm version or by strstr() the help page.
In QEMU we can't enable seccomp by default because its wide range of
features means any default profile would be effectively useless. Libvirt
knows that it uses a restricted set of QEMU features, so it can enable
a more useful seccomp by default.
I think swtpm won't have this complexity problem. Its functionality is
relatively narrow & well understood & so it is practical to define a
good seccomp profile & use that by default. So personally I'd merely
provide an opt-out to turn it off unless you think this is likely to
break something important.
Thanks. What makes me a bit hesitant now to activate it is the fact that
I found several unexpected syscalls in places like openssl DRBG and
glibc. The latter for example uses some #define ARCH_FORK (iirc), which
was not fork or vfork but clone on F29. It will obviously break if it is
something different on another machine or if it runs into branches that
I haven't exercised with the limited coverage the test suite I have
provides...
Stefan
Regards,
Daniel