Re: [libvirt] [PATCHv2 0/4] qemu: enable sandbox whitelist by default
On Tue, Apr 10, 2018 at 04:49:38PM +0200, Ján Tomko wrote:
v1:
https://www.redhat.com/archives/libvir-list/2018-March/msg01965.html
https://bugzilla.redhat.com/show_bug.cgi?id=1492597
v2:
* also deny resource control
* split out and refactor the command line building
* be explicit about denying the obsolete syscalls
Ján Tomko (4):
Introduce QEMU_CAPS_SECCOMP_BLACKLIST
Introduce qemuBuildSeccompSandboxCommandLine
Refactor qemuBuildSeccompSandboxCommandLine
qemu: deny privilege elevation and spawn in seccomp
Thank you for the reviews, I have rebased the patches to get rid of the
old SECCOMP_SANDBOX capability and pushed the series.
Jano
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)