On Fri, Sep 23, 2022 at 02:35:20PM +0100, Daniel P. Berrangé wrote: > On Fri, Sep 23, 2022 at 10:29:41AM -0300, Jason Gunthorpe wrote: > > On Fri, Sep 23, 2022 at 09:54:48AM +0100, Daniel P. Berrangé wrote: > > > > > Yes, we use cgroups extensively already. > > > > Ok, I will try to see about this > > > > Can you also tell me if the selinux/seccomp will prevent qemu from > > opening more than one /dev/vfio/vfio ? I suppose the answer is no? > > I don't believe there's any restriction on the nubmer of open attempts, > its just a case of allowed or denied globally for the VM. Ok For iommufd we plan to have qemu accept a single already opened FD of /dev/iommu and so the selinux/etc would block all access to the chardev. Can you tell me if the thing invoking qmeu that will open /dev/iommu will have CAP_SYS_RESOURCE ? I assume yes if it is already touching ulimits.. Jason
