To summarize my checks, by default it only is on since the further reworks in qemu 2.12. I checked manual calls and libvirt spawned qemu with earlier versions and they had not used the sandbox feature.
Although as mentioned per the config in /etc/libvirt/qemu.conf or via the -sandbox switch this could have been used way back in older releases. There is a useful one line check for the bug without the need to spawn anything via libvirt or such: qemu-system-x86_64 -sandbox on -nographic & pid=$!; sleep 2s; echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; kill -9 $pid Will report like: PID 23230 Seccomp: 2 Seccomp: 0 And the two lines should match -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
