Il 28/03/2013 20:30, Laine Stump ha scritto: > > The <interface type='bridge'> is working mostly because of a bad design > > decision in Linux. Ideally, QEMU would run with an empty capability > > bounding set and would not be able to do any privileged operation > > (not even by running a helper program). This is not the case because > > dropping capabilities from the bounding set requires a capability of its > > own, CAP_SETPCAP; thus QEMU does *not* run with an empty bounding set if > > invoked via qemu:///session. > > Ewww. So what you're saying is that the qemu that's run from > qemu:///system is more locked down (and thus "more secure") than the > qemu that's run from qemu:///session? Basically this qemu can run any > setuid application it likes, and there's nothing that we can do about it. Yes. However, seccompv2 can still prevent execve to be executed by qemu. Paolo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list