From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: [Qemu-devel] KVM call agenda for Novemeber 22
Date: Mon, 21 Nov 2011 14:43:45 -0600
Message-ID: <4ECAB801.5090708@codemonkey.ws>
References: <87aa7pfosp.fsf@neno.neno>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: KVM devel mailing list <kvm@vger.kernel.org>,
	Developers qemu-devel <qemu-devel@nongnu.org>
To: quintela@redhat.com
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-gx0-f174.google.com ([209.85.161.174]:43535 "EHLO
	mail-gx0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753457Ab1KUUnv (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 21 Nov 2011 15:43:51 -0500
Received: by ggnr5 with SMTP id r5so2780112ggn.19
        for <kvm@vger.kernel.org>; Mon, 21 Nov 2011 12:43:50 -0800 (PST)
In-Reply-To: <87aa7pfosp.fsf@neno.neno>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 11/21/2011 10:00 AM, Juan Quintela wrote:
>
> Hi
>
> Please send in any agenda items you are interested in covering.

I'm technical on holiday this week so I won't be attending.

But as an FYI, I ran across seccomp-nurse[1] this weekend.  It more or less 
let's you write a python program to implement a userspace syscall whitelist.

I haven't looked at the code close enough yet, but I think the technique it uses 
is to create a companion thread along side the sandbox thread.  This thread only 
runs code in an area mapped read-only and presumably only uses thread local storage.

The companion thread isn't running in the sandbox, but has the same resources as 
the sandbox thread so it can essentially invoke syscalls on behalf of the 
sandbox thread.

It's seriously non-portable.  In fact, it only works on 32-bit x86 Linux right 
now.  But it's worth looking into.

[1] http://chdir.org/~nico/seccomp-nurse/

Regards,

Anthony Liguori

>
> Later, Juan.
>