Re: [RFC] Unify KVM kernel-space and user-space code into a singleproject
From: Avi Kivity
Date: Wed Mar 24 2010 - 11:44:14 EST
On 03/24/2010 05:37 PM, Joerg Roedel wrote:
No it can't. With sVirt every single VM has a custom security label and
the policy only allows it access to disks / files with a matching label,
and prevents it attacking any other VMs or processes on the host. THis
confines the scope of any exploit in QEMU to those resources the admin
has explicitly assigned to the guest.
Even better. So a guest which breaks out can't even access its own
/sys/kvm/ directory. Perfect, it doesn't need that access anyway.
But what security label does that directory have? How can we make sure
that whoever needs access to those files, gets them?
Automatically created objects don't work well with that model. They're
simply missing information.
--
error compiling committee.c: too many arguments to function
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/