[libvirt] [PATCH 0/4] RFC: grant KVM guests retain arbitrary capabilities

Hi all, This patchset adds an option for KVM guests to retain arbitrary capabilities. I want KVM guests to retain "cap_sys_rawio" capability, so I tried to run qemu as root user. However because libvirt clears all capability of KVM guest by default, even if guest is running as root user, it doesn't have any capability. I can fulfill my requirement by disabling "clear_emulator_capabilities" option, but it's not good idea considering security risk. I'm happy libvirt could clear unnecessary capabilities instead of clearing all. That is a motivator for creating this patch. By adding "domain_capabilities" element and to domain XML, its domain can retain specified capabilities like the following: ; VM can retain cap_sys_rawio capability # virsh edit VM ... </features> <domain_capabilities> <cap_sys_rawio/> </domain_capabilities> <clock offset='utc'/> ... # virsh start VM # cat /proc/<VM's PID/status ... CapInh: 0000000000000000 CapPrm: fffffffc00020000 CapEff: fffffffc00020000 CapBnd: fffffffc00020000 ... *[PATCH 1/4] conf: add XML schema for domain capabilities *[PATCH 2/4] util: add functions to keep capabilities *[PATCH 3/4] util: extend virExecWithHook() *[PATCH 4/4] qemu: make qemu processes to retain capabilities -- Best regards, Taku Izumi <izumi.taku(a)jp.fujitsu.com&gt;