On Sun, 06 Nov 2011 22:40:20 +0200, Sasha Levin <levinsasha928@xxxxxxxxx> wrote: > The solution is also simple to explain: Split the devices into different > processes and use seccomp to sandbox each device into the exact set of > resources it needs to operate, nothing more and nothing less. lguest does a process per device. Actually, it uses clone for legacy reasons, but I have a patch which changes it to processes. It works well, and it's *simple*. I suggest looking at Documentation/virtual/lguest/lguest.c. Good luck! Rusty. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
