subject:"\[libvirt\] \[PATCH 5\/7\] qemuDomainGetHostdevPath\: Create \/dev\/vfio\/vfio iff needed"

Re: [libvirt] [PATCH 5/7] qemuDomainGetHostdevPath: Create /dev/vfio/vfio iff needed

2017-02-16 Thread Marc-André Lureau

Hi On Fri, Feb 10, 2017 at 6:57 PM Michal Privoznik wrote: > So far, we are allowing /dev/vfio/vfio in the devices cgroup > unconditionally (and creating it in the namespace too). Even if > domain has no hostdev assignment configured. This is potential > security hole.

[libvirt] [PATCH 5/7] qemuDomainGetHostdevPath: Create /dev/vfio/vfio iff needed

2017-02-10 Thread Michal Privoznik

So far, we are allowing /dev/vfio/vfio in the devices cgroup unconditionally (and creating it in the namespace too). Even if domain has no hostdev assignment configured. This is potential security hole. Therefore, when starting the domain (or hotplugging a hostdev) create & allow /dev/vfio/vfio