Re: [PATCH 4/4] qemu: add VFIO devices to cgroup ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Apr 26, 2013 at 11:16:14AM -0400, Laine Stump wrote:
> On 04/26/2013 04:52 AM, Daniel P. Berrange wrote:
> > On Thu, Apr 25, 2013 at 09:44:33PM -0400, Laine Stump wrote:
> >> We don't know exactly the names of the VFIO devices that will be
> >> needed (and due to hotplug, we can't ever assume we won't need them at
> >> all), so we just add an ACL to allow any vfio device - they all have
> >> the major number 244 (/dev/vfio/vfio is 244,0, and the /dev/vfio/n
> >> devices are up from there).
> > We do the correct labelling of the /dev/vfio/"N" device in the
> > security drivers, so we should be able todo the same for cgroups
> > device ACL. Allowing all "N" is not acceptable from a security
> > POV.
> 
> Up until now there hasn't been any cgroup-related code in the security
> drivers, though. So where should this go? Do we need a new driver
> backend for cgroups? This would then mean that we need to have three
> tiers of security drivers rather than two. Or can it just be put in the
> DAC driver?

We manage perfectly well to configure ACLs for individual disks that
a VM is given without having to wildcard allow every single /dev/sdN
disk. That fact that you were able to make the security drivers label
the /dev/vfio/n devices correctly, shows that the information required
is available. So why can't you set the cgroups ACLs correctly here too ?
There's no need to move cgroups code into any security driver.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]