[libvirt] [PATCH] qemu: Add a qemu.conf option for clearing capabilities
Eric Blake
eblake at redhat.com
Fri May 28 16:57:10 UTC 2010
On 05/28/2010 10:46 AM, Cole Robinson wrote:
>> Leaving qemu privileged means that a compromised guest can exploit the
>> privileges and do damage to the hypervisor; is it worth adding
>> additional comments warning the user about the lack of security inherent
>> in clearing the option?
>>
>
> How about
>
> # If clear_emulator_capabilities is enabled, libvirt will drop all
> # privileged capabilities of the QEmu/KVM emulator. This is enabled by #
> default.
> #
> # Warning: Disabling this option means that a compromised guest can
> # exploit the privileges and possibly do damage to the host.
Sounds good to me with that wording.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100528/6e62b8da/attachment-0001.sig>
More information about the libvir-list
mailing list