On 01/27/2012 02:30 PM, Daniel P. Berrange wrote:
Yep, I tend to agree. We should have1. rawio="yes|nmo" on the<disk> element somewhere 2. Give the QEMU process CAP_SYS_RAWIO 3. Use the devices cgroup to specify which individual disks can use rawio. That said I don't think we need to block the entire patch, just waiting for #3. I think it is acceptable to implement #1& #2 right now, provided that we mark the domain as tainted. After all if we don't do #1& #2, then people are just going to set clear_emulator_capabilities=0 which is even more insecure.
Yeah, tainting makes sense. Once we implement #3 we can remove the taint. Paolo -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
