[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when opt
|
From: |
Paul Moore |
|
Subject: |
Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in |
|
Date: |
Tue, 10 Dec 2013 14:31:28 -0500 |
|
User-agent: |
KMail/4.11.3 (Linux/3.12.1-gentoo; KDE/4.11.3; x86_64; ; ) |
On Tuesday, December 10, 2013 04:48:54 PM Lucas Meneghel Rodrigues wrote:
> On 12/10/2013 01:20 AM, Corey Bryant wrote:
> >>> IMHO the test suite should probe to see if sandbox is working or not,
> >>> and
> >>> just not use the "-sandbox on" arg if the host doesn't support it.
> >>
> >> But I think this could be done on virt-test as well :)
> >
> > This would make sense.
> >
> > Although it sounds like Lucas was looking for an error message when
> > seccomp kills qemu. Maybe virt-test could grep the audit log for the
> > existence of a "type=SECCOMP" record within the test's time of
> > execution, and issue a message based on that.
>
> It's a valid idea. The problem I see with it is that not every distro
> out there uses SELinux. Not getting into the merits of whether they
> should, ideally it'd be nice to have this working on distros that won't
> use SELinux.
Minor point of clarification, but audit and SELinux and independent subsystems
in the kernel.
Also, and I don't have a non-audit kernel built at the moment to verify this,
but on non-audit kernels the audit messages should be sent to syslog so you
*should* still be able to search for SECCOMP records regardless.
--
paul moore
security and virtualization @ redhat
Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in, Lucas Meneghel Rodrigues, 2013/12/09