Hi all,
This patchset adds an option for KVM guests to retain arbitrary capabilities.
I want KVM guests to retain "cap_sys_rawio" capability, so I tried to
run qemu as root user. However because libvirt clears all capability
of KVM guest by default, even if guest is running as root user,
it doesn't have any capability. I can fulfill my requirement by
disabling "clear_emulator_capabilities" option, but it's not
good idea considering security risk. I'm happy libvirt could clear
unnecessary capabilities instead of clearing all. That is a motivator
for creating this patch.
By adding "domain_capabilities" element and to domain XML, its domain
can retain specified capabilities like the following:
; VM can retain cap_sys_rawio capability
# virsh edit VM
...
</features>
<domain_capabilities>
<cap_sys_rawio/>
</domain_capabilities>
<clock offset='utc'/>
...
# virsh start VM
# cat /proc/<VM's PID/status
...
CapInh: 0000000000000000
CapPrm: fffffffc00020000
CapEff: fffffffc00020000
CapBnd: fffffffc00020000
...
*[PATCH 1/4] conf: add XML schema for domain capabilities
*[PATCH 2/4] util: add functions to keep capabilities
*[PATCH 3/4] util: extend virExecWithHook()
*[PATCH 4/4] qemu: make qemu processes to retain capabilities
--
Best regards,
Taku Izumi <izumi.taku@xxxxxxxxxxxxxx>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list