On Saturday, September 26, 2015 01:06:57 AM Namsun Ch'o wrote: > > I've suggested this in the past but to my knowledge no has done any work > > in this direction, including myself. Despite the lack of progress, I still > > think this is a very worthwhile idea. > > Which is exactly why I think a configuration file would be the best option > instead of --enable-syscalls=foo,bar,baz. It would allow someone to easily > customize their policy without needing to create a patch, or wait on QEMU > developers to do work on it.
To be clear, I'm not suggesting "--enable-syscalls=foo,bar,...", what I'm suggesting is a decomposition of the current filter list into blocks of syscalls that are needed to enable specific functionality. For example, if you enable audio support at runtime a set of syscalls will be added to the filter whitelist, if you enable a network device a different set of syscalls will be added to the filter, and so on. I think having an admin specified filter, either via a command line or configuration file, is a step in the wrong direction. -- paul moore security @ redhat
