Re: [libvirt] [PATCH v3 0/5] RFC: grant KVM guests retain arbitrary capabilities

Yep, I tend to agree. We should have 1. rawio="yes|nmo" on the<disk> element somewhere 2. Give the QEMU process CAP_SYS_RAWIO 3. Use the devices cgroup to specify which individual disks can use rawio. That said I don't think we need to block the entire patch, just waiting for #3. I think it is acceptable to implement #1& #2 right now, provided that we mark the domain as tainted. After all if we don't do #1& #2, then people are just going to set clear_emulator_capabilities=0 which is even more insecure.