Re: [libvirt] [PATCH 3/8] qemu: add VFIO devices to cgroup ACL

On 04/25/2013 11:57 AM, Laine Stump wrote: This matches what we have done for ptys and sound; but it's rather broad in that the access is now ALWAYS allowed. For ptys, always being enabled makes sense (you seldom start a guest without a pty, and even if we blindly grant the privilege to a guest that doesn't use a pty there's not much they could break by a rogue guest opening a pty device); but for vfio, it's tied to something that we don't want to allow rogue access to, when it can be avoided. Do we want to be a bit smarter and only add it to the file at the point when we start a guest with a vfio device and/or hotplug a vfio device, then revoke the cgroup privileges any time we hot-unplug the last vfio device? If so, it would be similar to how we add cgroup device ACL privileges for block disks at hotplug time, except that we'd need some domain tracking to count how many vfio devices are plugged at once, so we aren't revoking access until the last hot-unplug. I can live with this as-is (we at least audit that it happens), but wonder if it is worth respinning this patch to be smarter about when to allow vfio in the guest. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org