[libvirt] [PATCH v3 0/5] RFC: grant KVM guests retain arbitrary capabilities
Paolo Bonzini
pbonzini at redhat.com
Fri Jan 27 13:55:17 UTC 2012
On 01/27/2012 02:30 PM, Daniel P. Berrange wrote:
> Yep, I tend to agree. We should have
>
> 1. rawio="yes|nmo" on the<disk> element somewhere
> 2. Give the QEMU process CAP_SYS_RAWIO
> 3. Use the devices cgroup to specify which individual disks
> can use rawio.
>
> That said I don't think we need to block the entire patch, just waiting
> for #3. I think it is acceptable to implement #1& #2 right now,
> provided that we mark the domain as tainted. After all if we don't do
> #1& #2, then people are just going to set clear_emulator_capabilities=0
> which is even more insecure.
Yeah, tainting makes sense. Once we implement #3 we can remove the taint.
Paolo
More information about the libvir-list
mailing list