Il 29/08/2013 10:34, Stefan Hajnoczi ha scritto: > On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote: >> Now there's a second whitelist, right before the vcpu starts. The second >> whitelist is the same as the first one, except for exec() and select(). > > -netdev tap,downscript=/path/to/script requires exec() in the QEMU > shutdown code path. Will this work with seccomp?
It won't by design (seccomp is supposed to run with file descriptor passing). However, removing select() seems a bit risky. We cannot exclude that external libraries are not using it instead of, say, poll. BTW, recent QEMU is using ppoll instead of poll; does the whitelist require an update? Paolo
