On Mon, Nov 18, 2013 at 09:05:21AM -0700, Eric Blake wrote:
On 11/18/2013 08:20 AM, Daniel P. Berrange wrote:
>> static const char *const defaultDeviceACL[] = {
>> "/dev/null", "/dev/full", "/dev/zero",
>> - "/dev/random", "/dev/urandom",
>> + "/dev/random", "/dev/urandom", "/dev/hwrng",
>> "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
>> "/dev/rtc", "/dev/hpet", "/dev/vfio/vfio",
>> NULL,
>
> NACK, for any device listed in the XML, we should add it in the per-VM
> cgroups setup code.
>
> The existing /dev/random & /dev/urandom devices are there because they
> are used for basic crypto libraries unrelated to the XML config.
/dev/urandom, probably. /dev/random - really? Isn't that a DoS
potential for one guest to starve entropy from other guests, in spite of
sVirt?
It is a tradeoff between providing the crypto libraries a weaker
entropy source vs DOS potential via entropy starvation. Given that
/dev/random is world writable on Linux in general, I think it is
acceptable to allow QEMU access by default. Paranoid admins can
always set the cgroups device ACL in /etc/libvirt/.qemu.conf if
they want to restrict it.
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|