On Mon, Nov 18, 2013 at 09:05:21AM -0700, Eric Blake wrote:
> On 11/18/2013 08:20 AM, Daniel P. Berrange wrote:
>
> >> static const char *const defaultDeviceACL[] = {
> >> "/dev/null", "/dev/full", "/dev/zero",
> >> - "/dev/random", "/dev/urandom",
> >> + "/dev/random", "/dev/urandom", "/dev/hwrng",
> >> "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
> >> "/dev/rtc", "/dev/hpet", "/dev/vfio/vfio",
> >> NULL,
> >
> > NACK, for any device listed in the XML, we should add it in the per-VM
> > cgroups setup code.
> >
> > The existing /dev/random & /dev/urandom devices are there because they
> > are used for basic crypto libraries unrelated to the XML config.
>
> /dev/urandom, probably. /dev/random - really? Isn't that a DoS
> potential for one guest to starve entropy from other guests, in spite of
> sVirt?
It is a tradeoff between providing the crypto libraries a weaker
entropy source vs DOS potential via entropy starvation. Given that
/dev/random is world writable on Linux in general, I think it is
acceptable to allow QEMU access by default. Paranoid admins can
always set the cgroups device ACL in /etc/libvirt/.qemu.conf if
they want to restrict it.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list