On Sat, Dec 08, 2007 at 06:14:48PM +0100, Stephan Mueller wrote:
> * Stephan Mueller <d454d@web.de> [07.12.2007]:
>
> > okay, i see that xorg seems to have access to /proc/mtrr and some
> > /proc/pci/...
> >
> > Unhiding these two entries did the trick for me. Great!
>
> oops. Not so great. I fooled myself and seem to have started xorg on the
> host and not inside the vguest. :(
>
> Inside the vguest xorg is still slow.
>
> I set the SYS_ADMIN, SYS_TTY_CONFIG and SYS_RAWIO capabilities. Did not
> change anything either.
>
> But hey, there is a entry "devices" in /proc/bus/pci. Unhiding that one.
> Start vguest. ENTER vguest. :) xorg seems to be as fast as on the host
> now. Heureka!
>
> Doublechecked that. SYS_RAWIO, SYS_ADMIN and the pci stuff in /proc
> seems to be all that is needed.
okay, that is a start, unfortunately you do neither want
SYS_RAWIO nor SYS_ADMIN in a moderately secure guest,
the pci stuff itself might be fine without write access
(capability not permission) ...
but I still think, if there is enough interest, we can
make such a setup reasonably secure, by defining certain
port ranges and/or pci structures as 'belonging' to that
guest (like the graphics hardware) and thus we might get
away without opening up the guest
best,
Herbert
> Cheers,
>
> Steph.
Received on Mon Dec 10 12:46:54 2007