From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50018)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pmoore@redhat.com>) id 1VMK4D-0008Gp-VR
	for qemu-devel@nongnu.org; Wed, 18 Sep 2013 11:53:31 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pmoore@redhat.com>) id 1VMK48-0003H3-0Q
	for qemu-devel@nongnu.org; Wed, 18 Sep 2013 11:53:25 -0400
Received: from mx1.redhat.com ([209.132.183.28]:35898)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pmoore@redhat.com>) id 1VMK47-0003Gx-OU
	for qemu-devel@nongnu.org; Wed, 18 Sep 2013 11:53:19 -0400
From: Paul Moore <pmoore@redhat.com>
Date: Wed, 18 Sep 2013 11:53:09 -0400
Message-ID: <2039552.W30lFNyjSm@sifl>
In-Reply-To: <20130918073817.GB20659@redhat.com>
References: <1378495308-24560-1-git-send-email-otubo@linux.vnet.ibm.com>
	<5238AAC8.4060205@linux.vnet.ibm.com>
	<20130918073817.GB20659@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [Qemu-devel] [PATCHv2 2/3] seccomp: adding command line support
	for blacklist
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Corey Bryant <coreyb@linux.vnet.ibm.com>, qemu-devel@nongnu.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>

On Wednesday, September 18, 2013 08:38:17 AM Daniel P. Berrange wrote:
> Libvirt does not want to be in the business of creating seccomp syscall
> filters for QEMU. As mentioned before, IMHO that places an unacceptable
> burden on libvirt to know about the syscalls each a particular version
> of QEMU requires for its operation.

At a high level, I don't see how libvirt configuring and installing a syscall 
filter is substantially different from libvirt configuring and installing a 
network filter.

Also, and I recognize this is diverting away from a topic most of qemu-devel 
is not interested in, what about libvirt-lxc?  What about all of the other 
virtualization drivers supported by libvirt (granted, not all would be 
candidates for syscall filtering, but you get the idea).

-- 
paul moore
security and virtualization @ redhat