[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 4/4] qemu: add VFIO devices to cgroup ACL



On 04/26/2013 09:55 AM, Laine Stump wrote:
>> We manage perfectly well to configure ACLs for individual disks that
>> a VM is given without having to wildcard allow every single /dev/sdN
>> disk. That fact that you were able to make the security drivers label
>> the /dev/vfio/n devices correctly, shows that the information required
>> is available. So why can't you set the cgroups ACLs correctly here too ?
>> There's no need to move cgroups code into any security driver.
>>
> 
> Sorry, my brain combined the first and second sentences of your message,
> and understood that you wanted this to happen in the security driver.
> I'll look up what's done for disks.

Basically, we have code that does four related things - call into the
security manager, call into the cgroup manager, call into the lock space
manager, and finally audit the result.  See
qemuDomainPrepareDiskChainElement for an example.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]