From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35827) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VqT5z-0008FK-VV for qemu-devel@nongnu.org; Tue, 10 Dec 2013 14:36:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VqT5r-0005cI-1k for qemu-devel@nongnu.org; Tue, 10 Dec 2013 14:35:51 -0500 Received: from e24smtp03.br.ibm.com ([32.104.18.24]:42602) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VqT5q-0005c0-Kr for qemu-devel@nongnu.org; Tue, 10 Dec 2013 14:35:42 -0500 Received: from /spool/local by e24smtp03.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 10 Dec 2013 17:35:37 -0200 Received: from d24relay02.br.ibm.com (d24relay02.br.ibm.com [9.13.184.26]) by d24dlp01.br.ibm.com (Postfix) with ESMTP id E324B3520077 for ; Tue, 10 Dec 2013 14:35:33 -0500 (EST) Received: from d24av04.br.ibm.com (d24av04.br.ibm.com [9.8.31.97]) by d24relay02.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id rBAJZFmT12517446 for ; Tue, 10 Dec 2013 17:35:15 -0200 Received: from d24av04.br.ibm.com (localhost [127.0.0.1]) by d24av04.br.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id rBAJZXYC027738 for ; Tue, 10 Dec 2013 17:35:33 -0200 Message-ID: <52A76D05.2050906@linux.vnet.ibm.com> Date: Tue, 10 Dec 2013 17:35:33 -0200 From: Eduardo Otubo MIME-Version: 1.0 References: <1386609652-7876-1-git-send-email-otubo@linux.vnet.ibm.com> <20131209173330.GG22114@redhat.com> <52A60328.6020102@linux.vnet.ibm.com> <52A68867.4080309@linux.vnet.ibm.com> <52A76216.7090303@redhat.com> In-Reply-To: <52A76216.7090303@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Lucas Meneghel Rodrigues Cc: pmoore@redhat.com, Corey Bryant , qemu-devel@nongnu.org, anthony@codemonkey.ws On 12/10/2013 04:48 PM, Lucas Meneghel Rodrigues wrote: > On 12/10/2013 01:20 AM, Corey Bryant wrote: >>>> IMHO the test suite should probe to see if sandbox is working or not, >>>> and >>>> just not use the "-sandbox on" arg if the host doesn't support it. >>> >>> But I think this could be done on virt-test as well :) >>> >> >> This would make sense. >> >> Although it sounds like Lucas was looking for an error message when >> seccomp kills qemu. Maybe virt-test could grep the audit log for the >> existence of a "type=SECCOMP" record within the test's time of >> execution, and issue a message based on that. > > It's a valid idea. The problem I see with it is that not every distro > out there uses SELinux. Not getting into the merits of whether they > should, ideally it'd be nice to have this working on distros that won't > use SELinux. > > > Completely misunderstanding, I feel sorry for that. While we can't rely on the fact that every distro will have audit log working properly, I can start working on some support for virt-test to detect if the host machine has support for seccomp or if the Qemu binary has this feature built in. Again, sorry for the mess. Please disconsider this patch. -- Eduardo Otubo IBM Linux Technology Center