[libvirt] libseccomp and KVM

Daniel P. Berrange berrange at redhat.com
Fri Dec 12 17:24:51 UTC 2014


On Fri, Dec 12, 2014 at 06:12:40PM +0100, Raymond Durand wrote:
> Thanks.
> 
> 
> 2014-12-12 16:32 GMT+01:00 Daniel P. Berrange <berrange at redhat.com>:
> >
> > On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote:
> > > Thanks.
> > >
> > > How are the rules managed so as to fit the VM system calls?
> > > Is tuning possible? recommended?
> >
> > QEMU has a built-in policy that adds rules for every conceivable
> > function that QEMU might need to execute. Given that is quite
> > broad, the security benefit from seccomp enablement is quit low
> > IMHO
> >
> >
> I see.
> Is it something like each QEMU device enabled comes along with a
> system-calls list ie. rules allowed?
> Is this list of rules loaded at each time the QEMU/KVM starts?

No, the list of rules was jsut figured out by trial & error, launching
QEMU with more rules until it stopped crashing with all tested configs.
No one has tried to figure out fine grained rules as it is an enourmous
task

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list