|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v10] run QEMU as non-root
On Thu, 2015-11-05 at 12:47 +0000, Stefano Stabellini wrote: > Try to use "xen-qemuuser-domid$domid" first, then > "xen-qemuuser-shared" and root if everything else fails. > > The uids need to be manually created by the user or, more likely, by the > xen package maintainer. > > Expose a device_model_user setting in libxl_domain_build_info, so that > opinionated callers, such as libvirt, can set any user they like. Do not > fall back to root if device_model_user is set. Users can also set > device_model_user by hand in the xl domain config file. > > QEMU is going to setuid and setgid to the user ID and the group ID of > the specified user, soon after initialization, before starting to deal > with any guest IO. > > To actually secure QEMU when running in Dom0, we need at least to > deprivilege the privcmd and xenstore interfaces, this is just the first > step in that direction. > > Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> acked + applied. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |