|
From: | Eduardo Otubo |
Subject: | Re: [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by default |
Date: | Wed, 04 Dec 2013 11:17:34 -0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130912 Thunderbird/17.0.9 |
The existing approach clearly doesn't support the full range of options that users specify on the command-line.Bugs. It will get fixed in time with more testing/debugging. Eduardo is working on improving the testing and RH's QA folks are working hard to shake out the bugs too. I just posted another bug fix patch to the whitelist a few days ago.
Exactly, I'm working close with virt-test team to improve the testing and feedback for possible illegal syscalls on various scenarios.
So I guess the options are: 1. Don't make it the default since it breaks stuff but use it for very specific scenarios (e.g. libvirt use cases that have been well tested).In my opinion, I think it was probably a bit premature to make enable it by default, but at some point in the future I think we do need to do this.
I have to admit it was a little premature, yes. But I think once we have a stable set of tool in virt-test, we can turn it on by default in a near future.
2. Provide a kind of syscall set for various QEMU options and apply the union of them at launch. This still seems fragile but in theory it could work.This is what I was discussing above. I think this is likely the next big improvement.
That's the feature I'm currently working on right now. We'll see some improvements in the future. :)
-- Eduardo Otubo IBM Linux Technology Center
[Prev in Thread] | Current Thread | [Next in Thread] |