On 09/17/2013 11:43 AM, Paul Moore wrote:
On Tuesday, September 17, 2013 02:06:06 PM Daniel P. Berrange wrote:
On Tue, Sep 17, 2013 at 10:01:23AM -0300, Eduardo Otubo wrote:
Paul, what exactly are you planning to add to libvirt? I'm not a big
fan of using qemu command line to pass syscalls for blacklist as
arguments, but I can't see other way to avoid problems (like -net
bridge / -net tap) from happening.
At present, and as far as I'm concerned pretty much everything is open
discussion, the code works similar to the libvirt network filters.
a separate XML configuration file which defines the filter and you
that filter from the domain's XML configuration. When a QEMU/KVM or
domain starts it uses libseccomp to create the seccomp filter and then
it into the kernel after the fork but before the domain is exec'd.
Clever approach. I tihnk a possible way to do this is something like:
[,whitelist=qemu_whitelist.conf] will override default whitelist filter
[,blacklist=blacklist.conf] will override default blacklist filter
But when we add seccomp support for qemu on libvirt, we make sure to
just add -sandbox off and use Paul's approach.
Is that a reasonable approach? What do you think?