Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support for blacklist

[Eduardo Otubo <otubo@linux.vnet.ibm.com>]

On 09/11/2013 01:49 PM, Daniel P. Berrange wrote:
> On Wed, Sep 11, 2013 at 12:45:54PM -0400, Corey Bryant wrote:
>>
>>
>> On 09/06/2013 03:21 PM, Eduardo Otubo wrote:
>>> New command line options for the seccomp blacklist feature:
>>>
>>>   $ qemu -sandbox on[,strict=<on|off>]
>>>
>>> The strict parameter will turn on or off the new system call blacklist
>>
>> I mentioned this before but I'll say it again since I think it needs
>> to be discussed.  Since this regresses support (it'll prevent -net
>> bridge and -net tap from using execv) the concern I have with the
>> strict=on|off option is whether or not we will have the flexibility
>> to modify the blacklist once QEMU is released with this support.  Of
>> course we should be able to add more syscalls to the blacklist as
>> long as they don't regress QEMU functionality.  But if we want to
>> add a syscall that does regress QEMU functionality, I think we'd
>> have to add a new command line option, which doesn't seem desirable.
>>
>> So a more flexible approach may be necessary.  Maybe the blacklist
>> should be passed on the command line, which would enable it to be
>> defined by libvirt and passed to QEMU.  I know Paul is working on
>> something for libvirt so maybe that answers this question.

Paul, what exactly are you planning to add to libvirt? I'm not a big fan 
of using qemu command line to pass syscalls for blacklist as arguments, 
but I can't see other way to avoid problems (like -net bridge / -net 
tap) from happening.

>
> On the face of it, I'm not at all a fan of the idea of libvirt having
> to pass a syscall whitelist/blacklist to QEMU. IMHO that would be
> exposing too much knowledge of QEMU impl details to libvirt.
>
> Daniel
>

-- 
Eduardo Otubo
IBM Linux Technology Center