On 08/22/2011 11:38 AM, Christoph Hellwig wrote:
I'm still totally against this. FD passing is a nice feature for sandboxing,
but the passing should be between closely cooperating programs. We'll
need a tool shipped from the qemu source tree to open and set up the
FDs, and not someone external.
I'm still totally against this. FD passing is a nice feature for sandboxing,
but the passing should be between closely cooperating programs. We'll
need a tool shipped from the qemu source tree to open and set up the
FDs, and not someone external. With that setup in place we can use
a protocol si
sVirt provides SELinux MAC isolation for Qemu guest processes and their
corresponding resources (image files). sVirt provides this support
by labeling guests and resources with security labels that are stored
in file system extended attributes. Some file systems, such as NFS, do
not support the ext