On 03/25/2013 10:25 AM, Paolo Bonzini wrote: > The <interface type='bridge'> is working mostly because of a bad design > decision in Linux. Ideally, QEMU would run with an empty capability > bounding set and would not be able to do any privileged operation > (not even by running a helper program). This is not the case because > dropping capabilities from the bounding set requires a capability of its > own, CAP_SETPCAP; thus QEMU does *not* run with an empty bounding set if > invoked via qemu:///session. Ewww. So what you're saying is that the qemu that's run from qemu:///system is more locked down (and thus "more secure") than the qemu that's run from qemu:///session? Basically this qemu can run any setuid application it likes, and there's nothing that we can do about it. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list