[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [libvirt] PATCH: 3/3: Control file device access

From: Daniel Veillard <veillard redhat com>
To: "Daniel P. Berrange" <berrange redhat com>
Cc: libvir-list redhat com
Subject: Re: [libvirt] PATCH: 3/3: Control file device access
Date: Fri, 27 Feb 2009 17:09:35 +0100

On Thu, Feb 26, 2009 at 04:42:59PM +0000, Daniel P. Berrange wrote:
> 
> This patch is more focused on access control. CGroups has a controller
> that enforces ACLs on device nodes. This allows us to restrict exactly
> what block/character devices  a guest is allowed to access. So in the
> absence of something like SELinux sVirt, you can get a degree of 
> isolation between VMs on block device backed disks.

  Will that work for dynamically plugged block devices ? This seems to
have the potential to break things there, isn't-it ?

> This sets up an initial deny-all policy, and then iterates over all
> the disks defined for a VM, allowing each one in turn. Finally it
> allows a handy of common nodes like /dev/null, /dev/random, /dev/ptmx
> and friends, which all processes need to use.

[...]
> +    if (virCgroupAllowDeviceMajor(cgroup, 'c', 136) < 0) {

  errr ... what is 136 ? Maybe a descriptive constant would help :-)

  In gneral how much testing do we need before pushing those patches ?

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

References:
- [libvirt] PATCH: 0/3: Run QEMU guests within a CGroup
  - From: Daniel P. Berrange
- Re: [libvirt] PATCH: 3/3: Control file device access
  - From: Daniel P. Berrange

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]