From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Subject: Re: Secure KVM Date: Mon, 07 Nov 2011 08:29:03 +0200 Message-ID: <1320647343.3202.3.camel@lappy> References: <1320612020.3299.22.camel@lappy> <877h3cu75a.fsf@rustcorp.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Andrea Arcangeli , Avi Kivity , Marcelo Tosatti , Ingo Molnar , Pekka Enberg , Cyrill Gorcunov , Asias He , Anthony Liguori , "Michael S. Tsirkin" , kvm To: Rusty Russell Return-path: Received: from mail-fx0-f46.google.com ([209.85.161.46]:33394 "EHLO mail-fx0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751681Ab1KGGaz (ORCPT ); Mon, 7 Nov 2011 01:30:55 -0500 Received: by faao14 with SMTP id o14so4781382faa.19 for ; Sun, 06 Nov 2011 22:30:54 -0800 (PST) In-Reply-To: <877h3cu75a.fsf@rustcorp.com.au> Sender: kvm-owner@vger.kernel.org List-ID: On Mon, 2011-11-07 at 10:37 +1030, Rusty Russell wrote: > On Sun, 06 Nov 2011 22:40:20 +0200, Sasha Levin wrote: > > The solution is also simple to explain: Split the devices into different > > processes and use seccomp to sandbox each device into the exact set of > > resources it needs to operate, nothing more and nothing less. > > lguest does a process per device. Actually, it uses clone for legacy > reasons, but I have a patch which changes it to processes. > > It works well, and it's *simple*. I suggest looking at > Documentation/virtual/lguest/lguest.c. > > Good luck! > Rusty. Yup, thats pretty much what I want to have. As you said, clone() isn't really an option - sharing things like the VM and handles is something which I want to avoid. How does your patch handle IPC? -- Sasha.