Re: [libvirt] [PATCH 4/4] qemu: add VFIO devices to cgroup ACL
On 04/26/2013 09:55 AM, Laine Stump wrote:
> We manage perfectly well to configure ACLs for individual disks
that
> a VM is given without having to wildcard allow every single /dev/sdN
> disk. That fact that you were able to make the security drivers label
> the /dev/vfio/n devices correctly, shows that the information required
> is available. So why can't you set the cgroups ACLs correctly here too ?
> There's no need to move cgroups code into any security driver.
>
Sorry, my brain combined the first and second sentences of your message,
and understood that you wanted this to happen in the security driver.
I'll look up what's done for disks.
Basically, we have code that does four related things - call into the
security manager, call into the cgroup manager, call into the lock space
manager, and finally audit the result. See
qemuDomainPrepareDiskChainElement for an example.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)