DB> The device whitelisting is all very nice, but we completely forgot DB> / ignored the fact that there's nothing stopping a container DB> mounting the cgroups device controller and giving itself the DB> device access we just took away :-) Ah, interesting. DB> So, looks like we need to explicitly set the capabilities of DB> containers to either mask out CAP_SYS_ADMIN from libvirtd's set, DB> or construct an explicit capability whitelist Yeah, I guess so. I'll start looking into this :) -- Dan Smith IBM Linux Technology Center Open Hypervisor Team email: danms@xxxxxxxxxx -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list