Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

qemu seccomp support #327

Closed
bergwolf opened this issue May 21, 2018 · 1 comment
Closed

qemu seccomp support #327

bergwolf opened this issue May 21, 2018 · 1 comment
Labels
enhancement Improvement to an existing feature security Potential or actual security issue

Comments

@bergwolf
Copy link
Member

QEMU enforces a seccomp-bpf syscall blacklist when started with -sandbox on option. We may want to enable it to get an extra layer of protection with less attack interfaces. It comes with some performance cost and we can enable /proc/sys/net/core/bpf_jit_enable to reduce the impact.
@WeiZhang555
Copy link
Member

Security is always welcome 😄
As I know, the performance cost brought by seccomp is often expensive, so a little bit worried about it too.

@egernst egernst added enhancement Improvement to an existing feature help wanted security Potential or actual security issue labels Aug 16, 2018
@jodh-intel jodh-intel mentioned this issue Sep 6, 2018
Closed
@nitkon nitkon mentioned this issue Sep 6, 2018
Closed
zklei pushed a commit to zklei/runtime that referenced this issue Jun 13, 2019
@jodh-intel
client: Add context parameter and enable tracing support
6d26d61 
Add a `context.Context` parameter to the client `NewAgentClient()` API and
enable gRPC tracing if the specified context contains an opentracing
span.

Fixes kata-containers#327.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
@ManaSugi ManaSugi mentioned this issue Mar 1, 2021
Closed
@LiangZhou-CTY LiangZhou-CTY mentioned this issue Jul 19, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Improvement to an existing feature security Potential or actual security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bergwolf @WeiZhang555 @egernst @jodh-intel