[libvirt] [PATCH 2/2] qemu_cgroup: allow access to /dev/dri/render*

Daniel P. Berrange berrange at redhat.com
Thu May 19 12:21:59 UTC 2016

On Thu, May 19, 2016 at 01:29:07PM +0200, Ján Tomko wrote:
> Allow access to /dev/dri/render* devices for domains
> using <graphics type="spice"> with <gl enable="yes"/>
> https://bugzilla.redhat.com/show_bug.cgi?id=1337290

Ignoring cgroups for a minute, how exactly does QEMU get access to
the /dev/dri/render* devices in general ?  ie when QEMU is running
as the 'qemu:qemu' user/group account, with selinux enforcing I
don't see how it can possibly open these files, as we're not granting
access to them in any of the security drivers. Given this, allowing
them in cgroups seems like the least of our problems.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list