Ján Tomko <jtomko(a)redhat.com> writes:
On a Friday in 2023, Markus Armbruster wrote:
>> { "sandbox", NULL, QEMU_CAPS_SECCOMP_SANDBOX },
>
>Does option -sandbox exist?
>
>It does since v1.2. If CONFIG_SECCOMP is off, actually using it is a
>fatal error. Compiling out the option entirely would be more useful, I
>guess.
>
>Is this probe still useful?
I believe so.
libvirt adds '-sandbox on' to all VMs it runs, unless the option is not
available.
Some users wanted to run libvirt with QEMUs without libseccomp,
which resulted in the following QEMU commit.
commit 0dd693ef1f15b6e9c4ba8b0118663e10338077cf
sandbox: disable -sandbox if CONFIG_SECCOMP undefined
While using this option won't work if CONFIG_SECCOMP is off,
it should not show up in q-c-l-o so libvirt won't even try to use it.
You're right: the option exists regardless of CONFIG_SECCOMP, but it
shows up in q-c-l-o only when CONFIG_SECCOMP is on.
If I'm reading
commit 90835c2b8127406615785a9d4348ffdf3c813c8a
seccomp: convert to meson
correctly, then the whole softmmu/qemu-seccomp.c file is only compiled
if seccomp was found.
Jano