27 Jan
2012
27 Jan
'12
1:55 p.m.
On 01/27/2012 02:30 PM, Daniel P. Berrange wrote:
Yep, I tend to agree. We should have
1. rawio="yes|nmo" on the<disk> element somewhere 2. Give the QEMU process CAP_SYS_RAWIO 3. Use the devices cgroup to specify which individual disks can use rawio.
That said I don't think we need to block the entire patch, just waiting for #3. I think it is acceptable to implement #1& #2 right now, provided that we mark the domain as tainted. After all if we don't do #1& #2, then people are just going to set clear_emulator_capabilities=0 which is even more insecure.
Yeah, tainting makes sense. Once we implement #3 we can remove the taint. Paolo