On 04/26/2013 09:55 AM, Laine Stump wrote:
We manage perfectly well to configure ACLs for individual disks that a VM is given without having to wildcard allow every single /dev/sdN disk. That fact that you were able to make the security drivers label the /dev/vfio/n devices correctly, shows that the information required is available. So why can't you set the cgroups ACLs correctly here too ? There's no need to move cgroups code into any security driver.
Sorry, my brain combined the first and second sentences of your message, and understood that you wanted this to happen in the security driver. I'll look up what's done for disks.
Basically, we have code that does four related things - call into the security manager, call into the cgroup manager, call into the lock space manager, and finally audit the result. See qemuDomainPrepareDiskChainElement for an example. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org