Hi, Any comments about that? Regards, Marcelo On Tue, Sep 11, 2012 at 02:13:38PM -0400, Corey Bryant wrote: > Are there any other requirements that need to be taken care of to > enable execution of QEMU guests under separate unprivileged user IDs > (ie. DAC isolation)? > > At this point, this patch series (Per-guest configurable user/group > for QEMU processes) is upstream, allowing libvirt to execute guests > under separate unprivileged user IDs. Additionally, the QEMU bridge > helper series is upstream, allowing QEMU to allocate a tap device > and attach it to a bridge when run under an unprivileged user ID (http://www.redhat.com/archives/libvir-list/2012-August/msg00277.html). > > Is there any other feature in QEMU that requires QEMU to be run as root? > > -- > Regards, > Corey > > On 08/15/2012 06:10 PM, Marcelo Cerri wrote: > >This is a v4 patch series that updates the libvirt's security driver mechanism to support per-guest configurable user and group for QEMU processes running together with other security drivers, such as SELinux and AppArmor. > > > >Marcelo Cerri (5): > > Internal refactory of data structures > > Multiple security drivers in XML data > > Update security layer to handle many security labels > > Support for multiple default security drivers in QEMU config > > Update the remote API > > > > daemon/remote.c | 63 ++++ > > docs/formatdomain.html.in | 11 +- > > docs/schemas/capability.rng | 18 +- > > docs/schemas/domaincommon.rng | 30 ++- > > include/libvirt/libvirt.h.in | 2 + > > python/generator.py | 1 + > > src/conf/capabilities.c | 17 +- > > src/conf/capabilities.h | 6 +- > > src/conf/domain_audit.c | 14 +- > > src/conf/domain_conf.c | 343 +++++++++++++++----- > > src/conf/domain_conf.h | 20 +- > > src/driver.h | 4 + > > src/libvirt.c | 47 +++ > > src/libvirt_private.syms | 5 + > > src/libvirt_public.syms | 1 + > > src/lxc/lxc_conf.c | 8 +- > > src/lxc/lxc_controller.c | 8 +- > > src/lxc/lxc_driver.c | 11 +- > > src/lxc/lxc_process.c | 23 +- > > src/qemu/qemu.conf | 6 +- > > src/qemu/qemu_conf.c | 38 ++- > > src/qemu/qemu_conf.h | 2 +- > > src/qemu/qemu_driver.c | 218 +++++++++++--- > > src/qemu/qemu_process.c | 50 ++- > > src/remote/remote_driver.c | 46 +++ > > src/remote/remote_protocol.x | 17 +- > > src/remote_protocol-structs | 11 + > > src/security/security_apparmor.c | 118 +++++-- > > src/security/security_dac.c | 324 +++++++++++++++++-- > > src/security/security_manager.c | 101 +++++-- > > src/security/security_manager.h | 8 +- > > src/security/security_selinux.c | 263 +++++++++++----- > > src/security/security_stack.c | 237 +++++++++----- > > src/security/security_stack.h | 13 + > > src/test/test_driver.c | 11 +- > > .../qemuxml2argv-seclabel-dynamic-override.xml | 4 +- > > .../qemuxml2argv-seclabel-dynamic.xml | 2 +- > > 37 files changed, 1653 insertions(+), 448 deletions(-) > > > >-- > >libvir-list mailing list > >libvir-list@xxxxxxxxxx > >https://www.redhat.com/mailman/listinfo/libvir-list > > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list