Quoting Tejun Heo (tj@xxxxxxxxxx): > On Thu, Jul 11, 2013 at 10:34:05AM +0100, Daniel P. Berrange wrote: > > FWIW, libvirt's usage of devcg is to deny all by default, allow major 136 > > (for all /dev/pts/*), followed by allow (major,minor) pair for each specific > > whitelisted devices. As such we don't have anything that relies on ordering > > of rules in devcg. > > I'd personally much prefer something very simple - allow all by > default, allow only the specified if explicitly specified. I really > don't want full iptables like facility inside devcg. > > Thanks. FWIW lxc is also quite happy with the simple rules. Is there something in particular you want to accomplish for which the current rules do not suffice? -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
