On Thu, Apr 25, 2013 at 09:44:33PM -0400, Laine Stump wrote: > We don't know exactly the names of the VFIO devices that will be > needed (and due to hotplug, we can't ever assume we won't need them at > all), so we just add an ACL to allow any vfio device - they all have > the major number 244 (/dev/vfio/vfio is 244,0, and the /dev/vfio/n > devices are up from there). We do the correct labelling of the /dev/vfio/"N" device in the security drivers, so we should be able todo the same for cgroups device ACL. Allowing all "N" is not acceptable from a security POV. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list