Re: [libvirt] [PATCH 6/7] Use cgroups for block device whitelisting in QEMU guests

On Fri, Jul 17, 2009 at 09:04:28AM -0400, Daniel P. Berrange wrote: Worth adding a description for this function too, especially the return value which is not trivial from reading the code. > + > +int virCgroupDenyDevicePath(virCgroupPtr group, > + const char *path) > +{ > + struct stat sb; > + > + if (stat(path, &sb) < 0) > + return -errno; > + > + if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode)) > + return -EINVAL; > + > + return virCgroupDenyDevice(group, > + S_ISCHR(sb.st_mode) ? 'c' : 'b', > + major(sb.st_rdev), > + minor(sb.st_rdev)); [...] Hum, that list sounds a bit arbitrary, this could break for random reasons maybe this should be extended through the configuration, I assume a mismatch may result in domain failing to start or operate properly, right ? [...] Hum, that's a magic number, can we get a meaningful #define The idea sounds good but I'm a bit afraid of the inflexibility, this has the potential of making qemu/kvm far more fragile without a way to fix this by patching and recompiling. Again I'm not a cgroup expert but I feel a bit uneasy, can we get at least an option to disable it at runtime in the configuration (sorry if I missed that !) ? Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/