Re: [libvirt] New QEMU daemon for persistent reservations

>> But can you also test _more_ permissions if you want? So if QEMU passed >> to the helper a file for which it has "lock" but not "ioctl" access, >> would it make sense for the helper to let it through? Together with the >> socket MAC, this should be precise enough. > Sure, you can check any of the permissions which are defined for the > type of object you've got. The goal is to check permissions which > correspond to actions you're taking on the object. So if you do > something other than just ioctl() on the passed in FD, it would make > sense to check further permissions as appropriate. Just to make sure I understand correctly: the PD passing is done by qemu and not libvirt, right? Technically, we don't open the disks.