DB> So if that source code comment is correct, all we need todo is set DB> a deny-all rule in that intermediate 'lxc' cgroup, and then DB> containers will not be able to get access back, even if they have DB> CAP_SYS_ADMIN Even if I make the per-driver group have a deny-all policy, I can still add arbitrary items to devices.allow and gain access from a subgroup. So, I think we're going to need to restrict CAP_SYS_ADMIN if we really want isolation, but I'm not sure what else that is likely to break. -- Dan Smith IBM Linux Technology Center Open Hypervisor Team email: danms@xxxxxxxxxx -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list