On 27/11/2017 14:35, Michal Privoznik wrote: >>> But can you also test _more_ permissions if you want? So if QEMU passed >>> to the helper a file for which it has "lock" but not "ioctl" access, >>> would it make sense for the helper to let it through? Together with the >>> socket MAC, this should be precise enough. >> Sure, you can check any of the permissions which are defined for the >> type of object you've got. The goal is to check permissions which >> correspond to actions you're taking on the object. So if you do >> something other than just ioctl() on the passed in FD, it would make >> sense to check further permissions as appropriate. > Just to make sure I understand correctly: the PD passing is done by qemu > and not libvirt, right? Technically, we don't open the disks. Correct. Paolo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list