On Mon, 07 Nov 2011 08:29:03 +0200, Sasha Levin <levinsasha928@xxxxxxxxx> wrote: > On Mon, 2011-11-07 at 10:37 +1030, Rusty Russell wrote: > > On Sun, 06 Nov 2011 22:40:20 +0200, Sasha Levin <levinsasha928@xxxxxxxxx> wrote: > > > The solution is also simple to explain: Split the devices into different > > > processes and use seccomp to sandbox each device into the exact set of > > > resources it needs to operate, nothing more and nothing less. > > > > lguest does a process per device. Actually, it uses clone for legacy > > reasons, but I have a patch which changes it to processes. > > > > It works well, and it's *simple*. I suggest looking at > > Documentation/virtual/lguest/lguest.c. > > > > Good luck! > > Rusty. > > Yup, thats pretty much what I want to have. > > As you said, clone() isn't really an option - sharing things like the VM > and handles is something which I want to avoid. How does your patch > handle IPC? Yeah, the patch to change it to processes just changes the mmap (of /dev/zero) which forms guest memory from MAP_PRIVATE to MAP_SHARED. There's no IPC, because I have no device hotplug :) On exit we kill the entire process group, so it kills the device processes too. Cheers, Rusty. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
