From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: Kay Sievers <kay-tD+1rO4QERM@public.gmane.org>,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Lennart Poettering
<lennart-mdGvqq1h2p+GdvJs77BJ7Q@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [OFFLIST] status of devcg
Date: Thu, 11 Jul 2013 11:05:32 -0500 [thread overview]
Message-ID: <20130711160532.GA14909@ac100> (raw)
In-Reply-To: <20130711155106.GB9229-9pTldWuhBndy/B6EtB590w@public.gmane.org>
Quoting Tejun Heo (tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org):
> On Thu, Jul 11, 2013 at 10:34:05AM +0100, Daniel P. Berrange wrote:
> > FWIW, libvirt's usage of devcg is to deny all by default, allow major 136
> > (for all /dev/pts/*), followed by allow (major,minor) pair for each specific
> > whitelisted devices. As such we don't have anything that relies on ordering
> > of rules in devcg.
>
> I'd personally much prefer something very simple - allow all by
> default, allow only the specified if explicitly specified. I really
> don't want full iptables like facility inside devcg.
>
> Thanks.
FWIW lxc is also quite happy with the simple rules.
Is there something in particular you want to accomplish for which the
current rules do not suffice?
next prev parent reply other threads:[~2013-07-11 16:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20130710184655.GB16979@mtj.dyndns.org>
[not found] ` <20130710184655.GB16979-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2013-07-10 19:50 ` [OFFLIST] status of devcg Aristeu Rozanski
[not found] ` <20130710195001.GW14011-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-07-11 9:34 ` Daniel P. Berrange
[not found] ` <20130711093405.GC2377-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-07-11 15:51 ` Tejun Heo
[not found] ` <20130711155106.GB9229-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2013-07-11 16:05 ` Serge Hallyn [this message]
2013-07-11 17:10 ` Tejun Heo
[not found] ` <20130711171037.GB10195-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2013-07-11 17:11 ` Tejun Heo
2013-07-11 19:12 ` Serge Hallyn
2013-07-11 20:38 ` Tejun Heo
[not found] ` <20130711203833.GA3974-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2013-07-12 13:04 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130711160532.GA14909@ac100 \
--to=serge.hallyn-gewih/nmzzlqt0dzr+alfa@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=kay-tD+1rO4QERM@public.gmane.org \
--cc=lennart-mdGvqq1h2p+GdvJs77BJ7Q@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox