On Fri, Mar 7, 2014 at 3:51 PM, Lukasz Pawelczyk <havner@xxxxxxxxx> wrote:
Would you please elaborate on this? Where is this mechanism? How does it work without kernel space support? Is there some kernel space support I’m not aware of?
On 7 Mar 2014, at 20:24, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote:
> On Fri, 07.03.14 19:45, Lukasz Pawelczyk (havner@xxxxxxxxx) wrote:
>
>> Problem:
>> Has anyone thought about a mechanism to limit/remove an access to a
>> device during an application runtime? Meaning we have an application
>> that has an open file descriptor to some /dev/node and depending on
>> *something* it gains or looses the access to it gracefully (with or
>> without a notification, but without any fatal consequences).
>
> logind can mute input devices as sessions are switched, to enable
> unpriviliged X11 and wayland compositors.
Precisly! That’s the generic idea. I’m not for implementing it though at this moment. I just wanted to know whether anybody actually though about it or maybe someone is interested in starting such a work, etc.
>> Example:
>> LXC. Imagine we have 2 separate containers. Both running full operating
>> systems. Specifically with 2 X servers. Both running concurrently of
>
> Well, devices are not namespaced on Linux (with the single exception of
> network devices). An X server needs device access, hence this doesn't
> fly at all.
>
> When you enumerate devices with libudev in a container they will never
> be marked as "initialized" and you do not get any udev hotplug events in
> containers, and you don#t have the host's udev db around, nor would it
> make any sense to you if you had. X11 and friends rely on udev
> however...
>
> Before you think about doing something like this, you need to fix the
> kernel to provide namespaced devices (good luck!)
Yes, we have started such a thing. Here is the link to the wiki:
[...]
Oren.
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list