On Thu, Sep 22, 2022 at 12:06:33PM +0100, Daniel P. Berrangé wrote: > So per-user locked mem accounting looks like a regression in > our VM isolation abilities compared to the per-task accounting. For this kind of API the management app needs to put each VM in its own user, which I'm a bit surprised it doesn't already do as a further protection against cross-process concerns. The question here is how to we provide enough compatability for this existing methodology while still closing the security holes and inconsistencies that exist in the kernel implementation. Jason