[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 4/4] qemu: add VFIO devices to cgroup ACL

On 04/26/2013 09:55 AM, Laine Stump wrote:
>> We manage perfectly well to configure ACLs for individual disks that
>> a VM is given without having to wildcard allow every single /dev/sdN
>> disk. That fact that you were able to make the security drivers label
>> the /dev/vfio/n devices correctly, shows that the information required
>> is available. So why can't you set the cgroups ACLs correctly here too ?
>> There's no need to move cgroups code into any security driver.
> Sorry, my brain combined the first and second sentences of your message,
> and understood that you wanted this to happen in the security driver.
> I'll look up what's done for disks.

Basically, we have code that does four related things - call into the
security manager, call into the cgroup manager, call into the lock space
manager, and finally audit the result.  See
qemuDomainPrepareDiskChainElement for an example.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]