From mboxrd@z Thu Jan  1 00:00:00 1970
From: Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: Secure KVM
Date: Mon, 07 Nov 2011 10:37:44 +1030
Message-ID: <877h3cu75a.fsf@rustcorp.com.au>
References: <1320612020.3299.22.camel@lappy>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: kvm <kvm@vger.kernel.org>
To: Sasha Levin <levinsasha928@gmail.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Avi Kivity <avi@redhat.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Ingo Molnar <mingo@elte.hu>, Pekka
Return-path: <kvm-owner@vger.kernel.org>
Received: from ozlabs.org ([203.10.76.45]:51647 "EHLO ozlabs.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755014Ab1KGBad (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sun, 6 Nov 2011 20:30:33 -0500
In-Reply-To: <1320612020.3299.22.camel@lappy>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Sun, 06 Nov 2011 22:40:20 +0200, Sasha Levin <levinsasha928@gmail.com> wrote:
> The solution is also simple to explain: Split the devices into different
> processes and use seccomp to sandbox each device into the exact set of
> resources it needs to operate, nothing more and nothing less.

lguest does a process per device.  Actually, it uses clone for legacy
reasons, but I have a patch which changes it to processes.

It works well, and it's *simple*.  I suggest looking at
Documentation/virtual/lguest/lguest.c.

Good luck!
Rusty.