Re: [libvirt] [PATCH 7/7] qemu: Allow /dev/dri/render* for virgl domains

Hi On Fri, Feb 10, 2017 at 6:57 PM Michal Privoznik <mprivozn(a)redhat.com&gt; wrote: > When enabling virgl, qemu opens /dev/dri/render*. So far, we are > not allowing that in devices cgroup nor creating the file in > domain's namespace and thus requiring users to set the paths in > qemu.conf. This, however, is suboptimal as it allows access to > ALL qemu processes even those which don't have virgl configured. > > Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; > Thanks, but that doesn't work :) You should loop over the spice/gl graphics nodes (virtio accel3d is not actually using 3d, as of today, if the graphics configuration/layer doesn't provide it) See also Ján Tomko "qemu_cgroup: allow access to /dev/dri/render*" patch, which use to work. After my series "[PATCH 0/5] Add rendernode selection support", it will further have to narrow the path allowed to the specified rendernode. This can be done in my series or yours, depending on applied order.