Re: [libvirt] [PATCH 4/4] qemu: add VFIO devices to cgroup ACL
On Thu, Apr 25, 2013 at 09:44:33PM -0400, Laine Stump wrote:
We don't know exactly the names of the VFIO devices that will be
needed (and due to hotplug, we can't ever assume we won't need them at
all), so we just add an ACL to allow any vfio device - they all have
the major number 244 (/dev/vfio/vfio is 244,0, and the /dev/vfio/n
devices are up from there).
We do the correct labelling of the /dev/vfio/"N" device in the
security drivers, so we should be able todo the same for cgroups
device ACL. Allowing all "N" is not acceptable from a security
POV.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|