Re: [PATCH 0/4] RFC: grant KVM guests retain arbitrary capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 20, 2011 at 04:40:54PM +0900, Taku Izumi wrote:
> Hi all,
> 
> This patchset adds an option for KVM guests to retain arbitrary capabilities.
> 
> I want KVM guests to retain "cap_sys_rawio" capability, so I tried to
> run qemu as root user. However because libvirt clears all capability 
> of KVM guest by default, even if guest is running as root user,
> it doesn't have any capability.  I can fulfill my requirement by 
> disabling "clear_emulator_capabilities" option, but it's not 
> good idea considering security risk. I'm happy libvirt could clear
> unnecessary capabilities instead of clearing all. That is a motivator
> for creating this patch.
> 
> By adding "domain_capabilities" element and to domain XML, its domain
> can retain specified capabilities  like the following:
> 
> ; VM can retain cap_sys_rawio capability
> # virsh edit VM
> ...
>   </features>
>   <domain_capabilities>
>     <cap_sys_rawio/>
>   </domain_capabilities>
>   <clock offset='utc'/>

We could do with a feature like this for LXC too. Though I'd prefer
the XML to be a little more concise. Perhaps

    <process>
       <cap_sys_rawio/>
    </process>

One potential concern is that the capability names are OS specific,
so perhaps rather than allow them as element names, we should use
string attribute values for them

    <process>
      <cap name='sys_rawio'/>
    </process>

and declare the attribute values are potentially OS dependant, and
then expose the list of allowed OS capabilities values in the capabilities
XML.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]