On Wednesday, September 18, 2013 08:38:17 AM Daniel P. Berrange wrote: > Libvirt does not want to be in the business of creating seccomp syscall > filters for QEMU. As mentioned before, IMHO that places an unacceptable > burden on libvirt to know about the syscalls each a particular version > of QEMU requires for its operation.
At a high level, I don't see how libvirt configuring and installing a syscall filter is substantially different from libvirt configuring and installing a network filter. Also, and I recognize this is diverting away from a topic most of qemu-devel is not interested in, what about libvirt-lxc? What about all of the other virtualization drivers supported by libvirt (granted, not all would be candidates for syscall filtering, but you get the idea). -- paul moore security and virtualization @ redhat
