[FEATURE] UbuntuKVM: Enable seccomp support in QEMU

Please mark this 'feature' as a whishlist. This should be used to foster communication about qemu security model.

I was checking the current build and in fact it is already enabled.
So I wondered and realized that this is actually just a "please enable this on power too" request.
Is that correct?

Currently it is:
 libseccomp-dev (>> 2.1.0) [linux-amd64 linux-i386],

It should be safe to extend that to mor architectures.

Is that what you want or do you want to wrap more into it?
Quoting: "This should be used to foster communication about qemu security model."

------- Comment From <email address hidden> 2017-01-18 09:16 EDT-------
(In reply to comment #9)
> I was checking the current build and in fact it is already enabled.
> So I wondered and realized that this is actually just a "please enable this
> on power too" request.
> Is that correct?

Yes, that's correct. It is just about adding --enable-seccomp flag in QEMU's ./configure for ppc64el.

Ok, thanks for the clarification.
It is enabled as the part of this cycles merge of a newer qemu version.

Need to fix a few other things to make it complete, but this bug will get the auto-close update via launchpad once it migrates into zesty.

Assigning to canonical server, I believe we are already on track for this feature in zesty.

Yes, this is already part of the qemu upload in current zesty-proposed.
Bug will be auto-closed once it migrates.

This bug was fixed in the package qemu - 1:2.8+dfsg-2ubuntu1

---------------
qemu (1:2.8+dfsg-2ubuntu1) zesty; urgency=medium

  * Merge with Debian; remaining changes:
    - add qemu-kvm init script and defaults file
      (d/qemu-system-common.qemu-kvm.*)
    - d/rules, d/qemu-kvm-init: add and install script loading kvm
      modules and handling /etc/default/qemu-kvm
    - qemu-system-common.preinst: add kvm group if needed
    - Enable nesting by default on intel.
      - set default module option
      - re-load kvm_intel.ko if it was loaded without nested=1
      - d/p/ubuntu/expose-vmx_qemu64cpu.patch: enable nested kvm by
        default in qemu64 cpu type.
    - Enable svm by default for qemu64 on amd
    - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
      types to ease future live vm migration.
    - Make qemu-system-common depend on qemu-block-extra
    - Make qemu-utils depend on qemu-block-extra
    - s390x support
      - Create qemu-system-s390x package
      - Include s390-ccw.img firmware
    - qemu-system-common.postinst:
      - change acl placed by udev, and add udevadm trigger.
      - d/control-in: change dependencies for fix of wrong acl for newly
        created device node on ubuntu
    - have qemu-system-arm suggest: qemu-efi; this should be a stronger
      relationship, but qemu-efi is still in universe right now.
    - d/qemu-kvm-init, d/kvm.powerpc, d/control-in: check SMT on ppc64el
    - Several changes were applied but missing in the changelog so far
      - d/qemu-system-ppc.links provide usr/bin/qemu-system-ppc64le symlink
      - arch aware kvm wrapper
      - update VCS links
      - no more skip disable libiscsi on Ubuntu
      - let qemu-utils recommend sharutils
      - disable x32 architecture
  * Dropped Changes:
    - Several changes were applied but missing in the changelog so far
      but are no more needed
      - no pie for relocatable LD calls, with toolchain defaulting to
        pie (fixed upstream)
      - enable libnuma-dev (now in Debian)
      - transition for moved init scripts (can be dropped after LTS
        containing >=2.5 which is Xenial)
      - --enable-seccomp related whitespace change (had no effect)
    - apport hook for qemu source package (In Debian)
    - add upstart script (d/qemu-system-common.qemu-kvm.upstart)
    - d/qemu-system-x86.maintscript: transition off of
      /etc/init.d/qemu-system-x86 (can be dropped after Xenial)
    - Enable pie by default, on ubuntu/s390x. (Is the default since
      >=Xenial, no cloud archive backport <=Xenial to consider)
    - no pie for relocatable LD calls (fixed upstream in commit
      7ecf44a5)
    - CVEs: CVE-2016-5403, CVE-2016-6351, CVE-2016-6490 (now Upstream)
    - Revert fix for CVE-2016-5403, causes regression see USN-3047-2.
      (Improved fix included by upstream)
    - Enable GPU Passthru for ppc64le (is upstream in qemu 2.7)
    - Fixed wrong migration blocker when vhost is used (is upstream in
      qemu 2.8)
  * Added Changes:
    - d/rules, d/control-in: avoid people editing d/control by warning
      header and non writable permissions
    - fixed moving trusty machine type definition whic...