On Sun, Nov 08, 2015 at 12:30:47PM +0100, Theo Buehler wrote:
> [...]
> Your solution makes sense to me, but if anything in this direction is
> the way to go, I'd like to suggest the following variant of your idea:
>
> * We can make a pledge("id") at the start. Drop this after setrlimit(2)
> * Try to find the kmem group early on and use setegid(2) instead of
> initgroups(2). Pass kmem's gid as an argument to kvm_mkdb().
> * If the kmem group wasn't found, don't try to chown in kvm_mkdb()
>
> [...]
Way cleaner than my approach. I like it :)
--
Gregor
