[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 0/4] RFC: grant KVM guests retain arbitrary capabilities



Hi all,

This patchset adds an option for KVM guests to retain arbitrary capabilities.

I want KVM guests to retain "cap_sys_rawio" capability, so I tried to
run qemu as root user. However because libvirt clears all capability 
of KVM guest by default, even if guest is running as root user,
it doesn't have any capability.  I can fulfill my requirement by 
disabling "clear_emulator_capabilities" option, but it's not 
good idea considering security risk. I'm happy libvirt could clear
unnecessary capabilities instead of clearing all. That is a motivator
for creating this patch.

By adding "domain_capabilities" element and to domain XML, its domain
can retain specified capabilities  like the following:

; VM can retain cap_sys_rawio capability
# virsh edit VM
...
  </features>
  <domain_capabilities>
    <cap_sys_rawio/>
  </domain_capabilities>
  <clock offset='utc'/>
...

# virsh start VM
# cat /proc/<VM's PID/status
...
CapInh: 0000000000000000
CapPrm: fffffffc00020000
CapEff: fffffffc00020000
CapBnd: fffffffc00020000
...


  *[PATCH 1/4] conf: add XML schema for domain capabilities
  *[PATCH 2/4] util: add functions to keep capabilities
  *[PATCH 3/4] util: extend virExecWithHook()
  *[PATCH 4/4] qemu: make qemu processes to retain capabilities
 
--
Best regards, 
Taku Izumi <izumi taku jp fujitsu com>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]