These two patches are in response to CVE-2011-4127: http://seclists.org/oss-sec/2011/q4/536 Once the kernel security fix and corresponding qemu mitigation patch are in place, access to SG_IO commands from qemu guests will be disabled by default. This patch series provides a way to explicitly enable such support when it is required. In a discussion just before sending this patch series, Paolo Bonzini wondered if rather than the xml syntax being what's proposed here: <disk type='block' device='disk' dev='/dev/sda'> <!-- SG_IO off --> <disk type='lun' device='disk' dev='/dev/sda'> <!-- SG_IO on --> maybe it should instead be: <disk type='block' device='disk' dev='/dev/sda'> <!-- SG_IO off --> <disk type='block' device='lun' dev='/dev/sda'> <!-- SG_IO on --> I guess it partly depends on whether we would ever want to turn on SG_IO for a disk with device='cdrom|floppy' vs. if we would ever want to turn it on for type='file|dir|network'. Opinions? -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list