On Tuesday, December 10, 2013 04:48:54 PM Lucas Meneghel Rodrigues wrote:
On 12/10/2013 01:20 AM, Corey Bryant wrote:
IMHO the test suite should probe to see if sandbox is working or not,
and
just not use the "-sandbox on" arg if the host doesn't support it.
But I think this could be done on virt-test as well :)
This would make sense.
Although it sounds like Lucas was looking for an error message when
seccomp kills qemu. Maybe virt-test could grep the audit log for the
existence of a "type=SECCOMP" record within the test's time of
execution, and issue a message based on that.
It's a valid idea. The problem I see with it is that not every distro
out there uses SELinux. Not getting into the merits of whether they
should, ideally it'd be nice to have this working on distros that won't
use SELinux.
Minor point of clarification, but audit and SELinux and independent subsystems
in the kernel.
Also, and I don't have a non-audit kernel built at the moment to verify this,
but on non-audit kernels the audit messages should be sent to syslog so you
*should* still be able to search for SECCOMP records regardless.