[libvirt] PATCH: 3/3: Control file device access
Daniel Veillard
veillard at redhat.com
Fri Feb 27 16:09:35 UTC 2009
On Thu, Feb 26, 2009 at 04:42:59PM +0000, Daniel P. Berrange wrote:
>
> This patch is more focused on access control. CGroups has a controller
> that enforces ACLs on device nodes. This allows us to restrict exactly
> what block/character devices a guest is allowed to access. So in the
> absence of something like SELinux sVirt, you can get a degree of
> isolation between VMs on block device backed disks.
Will that work for dynamically plugged block devices ? This seems to
have the potential to break things there, isn't-it ?
> This sets up an initial deny-all policy, and then iterates over all
> the disks defined for a VM, allowing each one in turn. Finally it
> allows a handy of common nodes like /dev/null, /dev/random, /dev/ptmx
> and friends, which all processes need to use.
[...]
> + if (virCgroupAllowDeviceMajor(cgroup, 'c', 136) < 0) {
errr ... what is 136 ? Maybe a descriptive constant would help :-)
In gneral how much testing do we need before pushing those patches ?
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list