On 01/27/2012 02:30 PM, Daniel P. Berrange wrote:
Yep, I tend to agree. We should have
1. rawio="yes|nmo" on the<disk> element somewhere
2. Give the QEMU process CAP_SYS_RAWIO
3. Use the devices cgroup to specify which individual disks
can use rawio.
That said I don't think we need to block the entire patch, just waiting
for #3. I think it is acceptable to implement #1& #2 right now,
provided that we mark the domain as tainted. After all if we don't do
#1& #2, then people are just going to set clear_emulator_capabilities=0
which is even more insecure.
Yeah, tainting makes sense. Once we implement #3 we can remove the taint.
Paolo
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list