In my former mail I outlined when the feature was "available and built in". But used by default it was only much later.
IIRC qemu 2.11 (1bd6152a) switched from a huge whitelist to a blacklist and being filtering by default. Furthermore since lbvirt 4.3 (3527f9dd) libvirt will enable more of the modular blacklists by default if >=qemu 2.11 is detected. But even being default off people could switch it on all the time per command-line or via lbivirt per seccomp_sandbox= in /etc/libvirt/qemu.conf -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
