Thanks. 2014-12-12 17:06 GMT+01:00 Stefan Berger <[email protected]>: > > On 12/12/2014 10:32 AM, Daniel P. Berrange wrote: > >> On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: >> >>> Thanks. >>> >>> How are the rules managed so as to fit the VM system calls? >>> Is tuning possible? recommended? >>> >> QEMU has a built-in policy that adds rules for every conceivable >> function that QEMU might need to execute. Given that is quite >> broad, the security benefit from seccomp enablement is quit low >> IMHO >> > > Base code and (active) devices would each have to report what syscalls > they need so this list could be reduced to the minimum ... >
"Could be reduced": how? do you have in mind by selecting the appropriate active devices at the initialization time? > > Stefan > > Regards, >> Daniel >> > > -- > libvir-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/libvir-list > Regards,
-- libvir-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/libvir-list
