> ps.: the threads are still being broken by your emails and it's a pain
> to track down all of them in order to read. Please fix it.
I'm really sorry, I am not able to sign up to Google because I don't have a
cell number. I'll try using Sigaint. Does it work now?
> Should it enable seccomp a bit later?
Ideally it should be enabled as late as possible, right before the main loop,
because here's no reason to whitelist syscalls that are only ever needed to
start QEMU up (e.g. chroot, which is only used before the guest even boots).
But for now, the simplest s
> The current intention of the seccomp filter in QEMU, is that /all/ existing
> QEMU features continue to work unchanged. So even if a flag is used in a
> seemingly uncommon code path, we still need to allow that in a seccomp
> filter.
It already doesn't work very well, e.g. with -chroot, it fails
This patch here adds argument filtering for three syscalls:
madvise(), shmget(), and shmctl().
The madvise() flags may need a few additions, but I couldn't find any common
cases where the extra flags were used. The only additions were ones I found by
grepping through the source code for all madvis
