On Mon, Nov 16, 2020 at 7:12 AM yebiaoxiang <yebiaoxiang(a)huawei.com&gt; wrote: While generally this is a good idea (and libvirt has been splitting out functionality into separate daemons for improving security around the service in general), I'm wondering if you looked at what libvirt is supposed to do and how it works today. Note that at least on reasonable distribution configurations, "--listen" is no longer used by default (at least not for a couple of years now), and even in socket-activated mode, listening on IP sockets (TCP/TLS) requires some configuration before it works. At least out of the box, it crashes with a not-configured error. So some interaction is required to configure and activate that mode. While it is possible to run libvirtd as a non-root user, it's quite annoying to do so and requires sufficient amount of hoop-jumping (granting access to KVM socket, ensuring it has ability to bind to ports, configuring network, etc.) that it's easier to run it as root and then impose rules to effectively deprivilege it by other means (SELinux, daemon separation, etc.). Unless you're running a version of libvirt from before 2018, I think that your concerns are fairly well resolved. P.S.: Your Cc for your colleagues was malformed. I fixed it in my reply. -- 真実はいつも一つ！/ Always, there's only one truth!