On Thu, Sep 22, 2022 at 11:13:42AM -0300, Jason Gunthorpe wrote: > On Thu, Sep 22, 2022 at 12:06:33PM +0100, Daniel P. Berrangé wrote: > > > So per-user locked mem accounting looks like a regression in > > our VM isolation abilities compared to the per-task accounting. > > For this kind of API the management app needs to put each VM in its > own user, which I'm a bit surprised it doesn't already do as a further > protection against cross-process concerns. Putting VMs in dedicated users is not practical to automatically do on a general purpose OS install, because there's no arbitrator of what UID ranges can be safely used without conflicting with other usage on the OS. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
