Hi
On Fri, Feb 10, 2017 at 6:57 PM Michal Privoznik
wrote:
> So far, we are allowing /dev/vfio/vfio in the devices cgroup
> unconditionally (and creating it in the namespace too). Even if
> domain has no hostdev assignment configured. This is potential
> security hole. Therefore, when starting t
So far, we are allowing /dev/vfio/vfio in the devices cgroup
unconditionally (and creating it in the namespace too). Even if
domain has no hostdev assignment configured. This is potential
security hole. Therefore, when starting the domain (or
hotplugging a hostdev) create & allow /dev/vfio/vfio too
