I have been working on trying to get qemu, when running as a Xen device model, to _actually_ not have power equivalent to root.
I think I have achieved this, with some limitations (which will be discussed in my series against xen.git. However, there are changes to qemu needed. In particular * The -xen-domid-restrict option does not work properly right now. It only restricts a small subset of the descriptors qemu has open. I am introducing a new library call in the Xen libraries for this, xentoolcore_restrict_all. * We need to call a different function on domain shutdown. * The restriction operation needs to be done at a slightly different time, necessitating a new hook. * Additionally, in the future, we intend to be able to set aside a uid range for these qemus to run in, and that involves being able to tell qemu to drop privilege by numeric uid and gid. Thanks very much to Anthony Perard for his review of the first, RFC, version, and for helping out with configure. At least the first patch of this, "xen: link against xentoolcore", will very likely be necessary, since the corresponding xen.git series is likely to make Xen 4.10. Ian.