On Tue, Apr 10, 2018 at 04:49:42PM +0200, Ján Tomko wrote:
> If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
> no longer tries to whitelist all the calls, but uses sets
> of blacklists:
> default (always blacklisted with -sandbox on)
> obsolete (defaults to deny)
> elevateprivileges
On Fri, Apr 13, 2018 at 10:08:34AM -0400, John Ferlan wrote:
>
>
> On 04/10/2018 10:49 AM, Ján Tomko wrote:
> > If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
> > no longer tries to whitelist all the calls, but uses sets
> > of blacklists:
> > default (always blacklisted with
On 04/10/2018 10:49 AM, Ján Tomko wrote:
> If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
> no longer tries to whitelist all the calls, but uses sets
> of blacklists:
> default (always blacklisted with -sandbox on)
> obsolete (defaults to deny)
> elevateprivileges (setuid & co,
If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
no longer tries to whitelist all the calls, but uses sets
of blacklists:
default (always blacklisted with -sandbox on)
obsolete (defaults to deny)
elevateprivileges (setuid & co, default: allow)
spawn (fork & execve, default: allow)