On 04/26/2013 09:55 AM, Laine Stump wrote: >> We manage perfectly well to configure ACLs for individual disks that >> a VM is given without having to wildcard allow every single /dev/sdN >> disk. That fact that you were able to make the security drivers label >> the /dev/vfio/n devices correctly, shows that the information required >> is available. So why can't you set the cgroups ACLs correctly here too ? >> There's no need to move cgroups code into any security driver. >> > > Sorry, my brain combined the first and second sentences of your message, > and understood that you wanted this to happen in the security driver. > I'll look up what's done for disks. Basically, we have code that does four related things - call into the security manager, call into the cgroup manager, call into the lock space manager, and finally audit the result. See qemuDomainPrepareDiskChainElement for an example. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list