On Thu, Feb 26, 2009 at 04:42:59PM +0000, Daniel P. Berrange wrote:
This patch is more focused on access control. CGroups has a controller that enforces ACLs on device nodes. This allows us to restrict exactly what block/character devices a guest is allowed to access. So in the absence of something like SELinux sVirt, you can get a degree of isolation between VMs on block device backed disks.
Will that work for dynamically plugged block devices ? This seems to have the potential to break things there, isn't-it ?
This sets up an initial deny-all policy, and then iterates over all the disks defined for a VM, allowing each one in turn. Finally it allows a handy of common nodes like /dev/null, /dev/random, /dev/ptmx and friends, which all processes need to use.
[...]
+ if (virCgroupAllowDeviceMajor(cgroup, 'c', 136) < 0) {
errr ... what is 136 ? Maybe a descriptive constant would help :-) In gneral how much testing do we need before pushing those patches ? Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/