On 10/19/2012 04:36 PM, Eric Blake wrote:
On 10/19/2012 02:08 PM, Corey Bryant wrote:
On 10/19/2012 01:04 PM, Blue Swirl wrote:
On Wed, Oct 17, 2012 at 1:15 PM, Eduardo Otubo
<ot...@linux.vnet.ibm.com> wrote:
This patch includes a second whitelist right before the main loop. It's
a smaller and more restricted whitelist, excluding execve() among many
others.
It's nice to see that for example open, creat, unlink, socket, bind,
mprotect, setrlimit and kill are not present.
Hmm, well open minimally needs to be added to this list so that drives
can be hotplugged.
Unless we enforce the use of add-fd for hot-plugging drives, but that in
turn requires that we have -blockdev semantics for telling qemu how to
open backing chains.
True, that would be nice. But for now we don't have a complete fd
passing solution so maybe we can add that restriction in the future.
--
Regards,
Corey Bryant
