>>maybe also usb/pci passthrough maybe with vfio it'll work
also, I think we need to suid the pve-bridge script, to be able to create tap devices ----- Mail original ----- De: "Alexandre DERUMIER" <[email protected]> À: "Dietmar Maurer" <[email protected]> Cc: [email protected] Envoyé: Mardi 22 Avril 2014 17:42:19 Objet: Re: [pve-devel] KVM Security I think that direct access to /dev/... don't work, maybe also usb/pci passthrough ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Eric Blevins" <[email protected]>, [email protected] Envoyé: Mardi 22 Avril 2014 16:50:43 Objet: Re: [pve-devel] KVM Security > Why does Proxmox run KVM process as root? Only for simplicity. It would need a careful audit to see what features are broken if we run as non-root. > Running KVM as a non-root user would be much more secure, a flaw allowing > code execution on the host would be limited by the user account. > For added security running each KVM process as a unique user would prevent an > exploit in one guest from accessing virtual disks of another guest provided > proper permissions were also applied to the vm disk files/devices. Would be great if somebody helps to analyze those issues in more detail. Some volunteers here? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
