[OFFLIST] status of devcg
serge.hallyn at ubuntu.com
Thu Jul 11 16:05:32 UTC 2013
Quoting Tejun Heo (tj at kernel.org):
> On Thu, Jul 11, 2013 at 10:34:05AM +0100, Daniel P. Berrange wrote:
> > FWIW, libvirt's usage of devcg is to deny all by default, allow major 136
> > (for all /dev/pts/*), followed by allow (major,minor) pair for each specific
> > whitelisted devices. As such we don't have anything that relies on ordering
> > of rules in devcg.
> I'd personally much prefer something very simple - allow all by
> default, allow only the specified if explicitly specified. I really
> don't want full iptables like facility inside devcg.
FWIW lxc is also quite happy with the simple rules.
Is there something in particular you want to accomplish for which the
current rules do not suffice?
More information about the Containers