missing seccomp whitelist for qemu-kvm

I'm attaching an even simpler guest definition that also fails to boot.

I believe the seccomp whitelist is provided by qemu itself, not libvirt.

Yes, that's correct. This syscall list is controlled and hard-coded inside Qemu. I'll send a patch in order to fix this issue.
Thanks for reporting.

Sounds like you need the sysinfo system call added. It's not there upstream, so I wonder whether that indicates there's a bug causing htat to be needed, or that noone upstream is using seccomp.

The sysinfo syscall was discussed in https://lists.nongnu.org/archive/html/qemu-devel/2016-03/msg01365.html so upstream is aware of this at least and Eduardo being the qemu-seccomp maintainer is good.

@otubo, if you have a patch that needs testing please don't hesitate.

The attached debdiff fixes the problem and built successfully in PPA.

Seems I was too slow, thanks Serge!

Oops. Thanks, and thanks for the m-l link.

The attachment "lp1560149.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu7

---------------
qemu (1:2.5+dfsg-5ubuntu7) xenial; urgency=medium

  * Cherrypick patch from mailing list to fix qemu in sandbox. (LP: #1560149)

 -- Serge Hallyn <email address hidden> Mon, 11 Apr 2016 15:13:06 -0500