From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54347)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lmr@redhat.com>) id 1VqSMn-00017W-Io
	for qemu-devel@nongnu.org; Tue, 10 Dec 2013 13:49:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lmr@redhat.com>) id 1VqSMh-0000gF-Fl
	for qemu-devel@nongnu.org; Tue, 10 Dec 2013 13:49:09 -0500
Received: from mx1.redhat.com ([209.132.183.28]:18614)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lmr@redhat.com>) id 1VqSMh-0000g1-7t
	for qemu-devel@nongnu.org; Tue, 10 Dec 2013 13:49:03 -0500
Message-ID: <52A76216.7090303@redhat.com>
Date: Tue, 10 Dec 2013 16:48:54 -0200
From: Lucas Meneghel Rodrigues <lmr@redhat.com>
MIME-Version: 1.0
References: <1386609652-7876-1-git-send-email-otubo@linux.vnet.ibm.com>	<20131209173330.GG22114@redhat.com>	<52A60328.6020102@linux.vnet.ibm.com>
	<52A68867.4080309@linux.vnet.ibm.com>
In-Reply-To: <52A68867.4080309@linux.vnet.ibm.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu
 when option not built in
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Corey Bryant <coreyb@linux.vnet.ibm.com>, Eduardo Otubo <otubo@linux.vnet.ibm.com>, "Daniel P. Berrange" <berrange@redhat.com>
Cc: pmoore@redhat.com, qemu-devel@nongnu.org, anthony@codemonkey.ws

On 12/10/2013 01:20 AM, Corey Bryant wrote:
>>> IMHO the test suite should probe to see if sandbox is working or not,
>>> and
>>> just not use the "-sandbox on" arg if the host doesn't support it.
>>
>> But I think this could be done on virt-test as well :)
>>
>
> This would make sense.
>
> Although it sounds like Lucas was looking for an error message when
> seccomp kills qemu.  Maybe virt-test could grep the audit log for the
> existence of a "type=SECCOMP" record within the test's time of
> execution, and issue a message based on that.

It's a valid idea. The problem I see with it is that not every distro 
out there uses SELinux. Not getting into the merits of whether they 
should, ideally it'd be nice to have this working on distros that won't 
use SELinux.