On 09/03/2012 03:07 PM, Doug Goldstein wrote:
On Mon, Sep 3, 2012 at 7:03 AM, Ján Tomko <jtomko@redhat.com> wrote:
QEMU (since 1.2-rc0) supports setting up a syscall whitelist through libseccomp on linux kernel from 3.5-rc1. This is enabled by specifying -sandbox on on qemu command line.
<snip>
There's a big push to not rely on -help scraping, please work with qemu upstream to get this exposed through the QMP and query for the capability that way.
We already agreed upstream that 1.2 and older can use -help scraping, and that 1.3 and newer will assume that all features present in 1.2 are still present, and that QMP queries will supply the rest. Therefore, I'm okay with -help scraping for 1.2, and just blindly assuming that -sandbox exists if we detected version 1.3 through a QMP query. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org