From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44708)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lmr@redhat.com>) id 1VqTgE-0004ee-VJ
	for qemu-devel@nongnu.org; Tue, 10 Dec 2013 15:13:24 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lmr@redhat.com>) id 1VqTg9-0000sZ-0J
	for qemu-devel@nongnu.org; Tue, 10 Dec 2013 15:13:18 -0500
Received: from mx1.redhat.com ([209.132.183.28]:64110)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lmr@redhat.com>) id 1VqTg8-0000sO-Nw
	for qemu-devel@nongnu.org; Tue, 10 Dec 2013 15:13:12 -0500
Message-ID: <52A775CF.8070608@redhat.com>
Date: Tue, 10 Dec 2013 18:13:03 -0200
From: Lucas Meneghel Rodrigues <lmr@redhat.com>
MIME-Version: 1.0
References: <1386609652-7876-1-git-send-email-otubo@linux.vnet.ibm.com>
	<52A68867.4080309@linux.vnet.ibm.com>
	<52A76216.7090303@redhat.com> <2378748.BRySzGFBvl@sifl>
In-Reply-To: <2378748.BRySzGFBvl@sifl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu
 when option not built in
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Moore <pmoore@redhat.com>
Cc: Corey Bryant <coreyb@linux.vnet.ibm.com>, qemu-devel@nongnu.org, anthony@codemonkey.ws, Eduardo Otubo <otubo@linux.vnet.ibm.com>

On 12/10/2013 05:31 PM, Paul Moore wrote:
> On Tuesday, December 10, 2013 04:48:54 PM Lucas Meneghel Rodrigues wrote:
>> On 12/10/2013 01:20 AM, Corey Bryant wrote:
>>>>> IMHO the test suite should probe to see if sandbox is working or not,
>>>>> and
>>>>> just not use the "-sandbox on" arg if the host doesn't support it.
>>>>
>>>> But I think this could be done on virt-test as well :)
>>>
>>> This would make sense.
>>>
>>> Although it sounds like Lucas was looking for an error message when
>>> seccomp kills qemu.  Maybe virt-test could grep the audit log for the
>>> existence of a "type=SECCOMP" record within the test's time of
>>> execution, and issue a message based on that.
>>
>> It's a valid idea. The problem I see with it is that not every distro
>> out there uses SELinux. Not getting into the merits of whether they
>> should, ideally it'd be nice to have this working on distros that won't
>> use SELinux.
>
> Minor point of clarification, but audit and SELinux and independent subsystems
> in the kernel.
>
> Also, and I don't have a non-audit kernel built at the moment to verify this,
> but on non-audit kernels the audit messages should be sent to syslog so you
> *should* still be able to search for SECCOMP records regardless.

Ok, my bad, thanks for the clarification! We'll look into checking the 
audit log.