From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
To: Paul Moore <pmoore@redhat.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>,
coreyb@linux.vnet.ibm.com, qemu-devel <qemu-devel@nongnu.org>,
Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by default
Date: Wed, 04 Dec 2013 11:17:34 -0200 [thread overview]
Message-ID: <529F2B6E.9010102@linux.vnet.ibm.com> (raw)
In-Reply-To: <6388825.6pMDJVlAMn@sifl>
>
>> The existing approach clearly doesn't support the full range of options
>> that users specify on the command-line.
>
> Bugs. It will get fixed in time with more testing/debugging. Eduardo is
> working on improving the testing and RH's QA folks are working hard to shake
> out the bugs too. I just posted another bug fix patch to the whitelist a few
> days ago.
Exactly, I'm working close with virt-test team to improve the testing
and feedback for possible illegal syscalls on various scenarios.
>
>> So I guess the options are:
>>
>> 1. Don't make it the default since it breaks stuff but use it for very
>> specific scenarios (e.g. libvirt use cases that have been well tested).
>
> In my opinion, I think it was probably a bit premature to make enable it by
> default, but at some point in the future I think we do need to do this.
I have to admit it was a little premature, yes. But I think once we have
a stable set of tool in virt-test, we can turn it on by default in a
near future.
>
>> 2. Provide a kind of syscall set for various QEMU options and apply the
>> union of them at launch. This still seems fragile but in theory it
>> could work.
>
> This is what I was discussing above. I think this is likely the next big
> improvement.
>
That's the feature I'm currently working on right now. We'll see some
improvements in the future. :)
--
Eduardo Otubo
IBM Linux Technology Center
prev parent reply other threads:[~2013-12-04 13:18 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-22 11:21 [Qemu-devel] [PATCH for-1.7] seccomp: setting "-sandbox on" by default Eduardo Otubo
2013-10-22 13:00 ` Anthony Liguori
2013-10-23 14:42 ` Eduardo Otubo
2013-10-30 10:04 ` Stefan Hajnoczi
2013-11-21 15:14 ` Paolo Bonzini
2013-11-21 15:48 ` Paul Moore
2013-11-21 16:22 ` Eduardo Otubo
2013-11-22 10:39 ` Stefan Hajnoczi
2013-11-22 14:44 ` Paul Moore
2013-11-22 15:48 ` Stefan Hajnoczi
2013-11-22 16:00 ` Paul Moore
2013-12-04 9:39 ` Stefan Hajnoczi
2013-12-04 13:21 ` Eduardo Otubo
2013-12-04 14:46 ` Corey Bryant
2013-12-05 13:15 ` Stefan Hajnoczi
2013-12-05 16:12 ` Will Drewry
2013-12-06 9:13 ` Stefan Hajnoczi
2013-12-06 15:40 ` Will Drewry
2013-12-07 8:13 ` Stefan Hajnoczi
2013-11-22 10:34 ` Stefan Hajnoczi
2013-11-22 14:38 ` Paul Moore
2013-12-04 13:17 ` Eduardo Otubo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=529F2B6E.9010102@linux.vnet.ibm.com \
--to=otubo@linux.vnet.ibm.com \
--cc=anthony@codemonkey.ws \
--cc=coreyb@linux.vnet.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.