On Mon, 2021-08-02 at 14:02 +0100, Daniel P. Berrangé wrote:
> Blocking the 'fork' syscall on Linux is not sufficient to block the
> 'fork' C library function, because the latter is essentially always
> implemented using the 'clone' syscall these days.
> 
> Blocking 'clone' is difficult as that also blocks pthread creation,
> so it needs careful filtering.
> 
> Daniel P. Berrangé (5):
>   seccomp: allow action to be customized per syscall
>   seccomp: add unit test for seccomp filtering
>   seccomp: fix blocking of process spawning
>   seccomp: block use of clone3 syscall
>   seccomp: block setns, unshare and execveat syscalls
> 
>  MAINTAINERS               |   1 +
>  softmmu/qemu-seccomp.c    | 282 +++++++++++++++++++++++++++++-------
> --
>  tests/unit/meson.build    |   4 +
>  tests/unit/test-seccomp.c | 269 ++++++++++++++++++++++++++++++++++++
>  4 files changed, 490 insertions(+), 66 deletions(-)
>  create mode 100644 tests/unit/test-seccomp.c
> 
> -- 
> 2.31.1
> 
> 

Acked-by: Eduardo Otubo <otubo@redhat.com>

-- 
Eduardo Otubo