|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v7] run QEMU as non-root
On Mon, Jul 27, 2015 at 03:19:56PM +0200, Fabio Fantoni wrote: > Il 23/07/2015 19:08, Stefano Stabellini ha scritto: > >Try to use "xen-qemudepriv-domid$domid" first, then > >"xen-qemudepriv-shared" and root if everything else fails. > > > >The uids need to be manually created by the user or, more likely, by the > >xen package maintainer. > > > >Expose a device_model_user setting in libxl_domain_build_info, so that > >opinionated callers, such as libvirt, can set any user they like. Do not > >fall back to root if device_model_user is set. > > > >QEMU is going to setuid and setgid to the user ID and the group ID of > >the specified user, soon after initialization, before starting to deal > >with any guest IO. > > > >To actually secure QEMU when running in Dom0, we need at least to > >deprivilege the privcmd and xenstore interfaces, this is just the first > >step in that direction. > > > >Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> > > Thanks for this patch, now I'll test it. > I think can be good add also domU's xl cfg parameter for set custom user to > use instead make possible only in libxl from external tools, is possible to > add it? It looks trivial to me. The hardest part would be picking a name for the new option and writing that down in manpage. :-) Wei. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |