On Wed, Mar 24, 2010 at 05:43:31PM +0200, Avi Kivity wrote:
On 03/24/2010 05:37 PM, Joerg Roedel wrote:If we go the /proc/<pid>/kvm way then the directory should probably
Even better. So a guest which breaks out can't even access its ownBut what security label does that directory have? How can we make sure
/sys/kvm/ directory. Perfect, it doesn't need that access anyway.
that whoever needs access to those files, gets them?
Automatically created objects don't work well with that model. They're
simply missing information.
inherit the label from /proc/<pid>/?
Same could be applied to /sys/kvm/guest/ if we decide for it. The VM is
still bound to a single process with a /proc/<pid> after all.