From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41459) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W2QXi-000271-UK for qemu-devel@nongnu.org; Sun, 12 Jan 2014 14:18:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1W2QXX-0001DL-Po for qemu-devel@nongnu.org; Sun, 12 Jan 2014 14:17:54 -0500 Received: from mail-qa0-x232.google.com ([2607:f8b0:400d:c00::232]:51534) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W2QXX-0001DH-KO for qemu-devel@nongnu.org; Sun, 12 Jan 2014 14:17:43 -0500 Received: by mail-qa0-f50.google.com with SMTP id cm18so4440452qab.37 for ; Sun, 12 Jan 2014 11:17:42 -0800 (PST) Received: from [172.30.8.194] (NYUFWA-GUESTS-01.NATPOOL.NYU.EDU. [192.76.177.124]) by mx.google.com with ESMTPSA id x9sm5699286qev.15.2014.01.12.11.17.41 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 12 Jan 2014 11:17:42 -0800 (PST) Message-ID: <52D2EA57.7050905@gmail.com> Date: Sun, 12 Jan 2014 14:17:43 -0500 From: "immersive.excel@gmail.com" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] chroot jailing... List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Would there be any security benefits, without suffering any considerable relative loss in performance, to (chroot) jailing qemu? Can it, practically speaking, be done?? Would that be a partial safeguard against virtual machine escapes? Or is it the case that if a virtual machine escape takes place, then all bets are probably off? (i.e., you probably have already pole-vaulted over any filesystem driver/partition access control mechanisms...) Are there any articles or discussions that I can be directed to about it? (my focus for now is 64 bit, Intel core i7...) Are there specific suggestions and/or guidelines for attempting to do so -or not??