Feature #12714
open
want privilege for hypervisors
0%
Description
The inclusion of bhyve in illumos exacerbates our current lack of a privilege for controlling access to HVM-related tasks. HVM workloads, being somewhat unique in their requirements and implementations, consume system resources in a way that's unique from "normal" processes. As such, gating access to them behind a separate privilege is desirable. To that end PRIV_SYS_HYPERVISOR is proposed to cover such HVM workloads. The first consumer will be bhyve, but it could be wired into things like KVM and VirtualBox as well.
Updated by John Levon over 2 years ago
Did you consider re-using the golden oldie PRIV_VIRT_MANAGE?
Updated by Patrick Mooney over 2 years ago
John Levon wrote:
Did you consider re-using the golden oldie PRIV_VIRT_MANAGE?
I had not. Seeing it now, I have some mixed feelings. Its naming is pretty unlike the other privs, and access to HVM resources strikes me as something that would be covered by a PRIV_SYS_*. That said, I'm open to suggestion.
Updated by John Levon over 2 years ago
Not sure what you mean about naming - it's a sub-system thing, like PROC, NET, etc. The original naming was for covering both kernel-side access reasons and also for e.g. daemon privs (say if we had a user-space door server).
I'm somewhat agnostic on whether it should be re-used or not, just wanted to make sure you'd considered it.
Updated by Patrick Mooney over 2 years ago
I don't have strong opinions one way or the other. I'll be happy with whatever we can collectively settle on. My big motivation is to get bhyve instance creation behind some sort of privilege.
Updated by Yuri Pankov over 2 years ago
FWIW, PRIV_SYS_HYPERVISOR better describes its purpose than PRIV_VIRT_MANAGE for me.