Anthony Liguori wrote:
Avi Kivity wrote:
Rusty Russell wrote:
Hi all,
Just finished my prototype of inter-guest virtio, using
networking as an example. Each guest mmaps the other's address
space and uses a FIFO for notifications.
Isn't that a security hole (hole? chasm)? If the two guests can
access each other's memory, they might as well be just one guest, and
communicate internally.
Each guest's host userspace mmaps the other guest's address space.
The userspace then does a copy on both the tx and rx paths.
Well, that's better security-wise (I'd still prefer to avoid it, so we
can run each guest under a separate uid), but then we lose performance wise.
Conceivably, this could be done as a read-only mapping so that each
guest userspace copies only the rx packets. That's about as secure as
you're going to get with this approach I think.
Maybe we can terminate the virtio queue in the host kernel as a pipe,
and splice pipes together.
That gives us guest-guest and guest-process communications, and if you
use aio the kernel can use a dma engine for the copy.
--
error compiling committee.c: too many arguments to function
_______________________________________________
Lguest mailing list
Lguest@ozlabs.org
https://ozlabs.org/mailman/listinfo/lguest
