Re: [libvirt] PATCH: 3/3: Control file device access
On Thu, Feb 26, 2009 at 04:42:59PM +0000, Daniel P. Berrange wrote:
This patch is more focused on access control. CGroups has a controller
that enforces ACLs on device nodes. This allows us to restrict exactly
what block/character devices a guest is allowed to access. So in the
absence of something like SELinux sVirt, you can get a degree of
isolation between VMs on block device backed disks.
Will that work for dynamically plugged block devices ? This seems to
have the potential to break things there, isn't-it ?
This sets up an initial deny-all policy, and then iterates over all
the disks defined for a VM, allowing each one in turn. Finally it
allows a handy of common nodes like /dev/null, /dev/random, /dev/ptmx
and friends, which all processes need to use.
[...]
+ if (virCgroupAllowDeviceMajor(cgroup, 'c', 136) < 0)
{
errr ... what is 136 ? Maybe a descriptive constant would help :-)
In gneral how much testing do we need before pushing those patches ?
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/