[libvirt] [PATCH 0/4] RFC: grant KVM guests retain arbitrary capabilities

Taku Izumi izumi.taku at jp.fujitsu.com
Tue Dec 20 07:40:54 UTC 2011


Hi all,

This patchset adds an option for KVM guests to retain arbitrary capabilities.

I want KVM guests to retain "cap_sys_rawio" capability, so I tried to
run qemu as root user. However because libvirt clears all capability 
of KVM guest by default, even if guest is running as root user,
it doesn't have any capability.  I can fulfill my requirement by 
disabling "clear_emulator_capabilities" option, but it's not 
good idea considering security risk. I'm happy libvirt could clear
unnecessary capabilities instead of clearing all. That is a motivator
for creating this patch.

By adding "domain_capabilities" element and to domain XML, its domain
can retain specified capabilities  like the following:

; VM can retain cap_sys_rawio capability
# virsh edit VM
...
  </features>
  <domain_capabilities>
    <cap_sys_rawio/>
  </domain_capabilities>
  <clock offset='utc'/>
...

# virsh start VM
# cat /proc/<VM's PID/status
...
CapInh: 0000000000000000
CapPrm: fffffffc00020000
CapEff: fffffffc00020000
CapBnd: fffffffc00020000
...


  *[PATCH 1/4] conf: add XML schema for domain capabilities
  *[PATCH 2/4] util: add functions to keep capabilities
  *[PATCH 3/4] util: extend virExecWithHook()
  *[PATCH 4/4] qemu: make qemu processes to retain capabilities
 
--
Best regards, 
Taku Izumi <izumi.taku at jp.fujitsu.com>




More information about the libvir-list mailing list