From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Erik Skultety <eskultet@redhat.com>
Cc: "Singh, Brijesh" <brijesh.singh@amd.com>,
"libvir-list@redhat.com" <libvir-list@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"dinechin@redhat.com" <dinechin@redhat.com>,
"mkletzan@redhat.com" <mkletzan@redhat.com>
Subject: Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities
Date: Wed, 30 Jan 2019 10:37:19 +0000 [thread overview]
Message-ID: <20190130103719.GF15904@redhat.com> (raw)
In-Reply-To: <20190130080630.GI5315@beluga.usersys.redhat.com>
On Wed, Jan 30, 2019 at 09:06:30AM +0100, Erik Skultety wrote:
> Thanks for ^this bit which helped me understand the bits below. When I read the
> man page yesterday the first question was, okay, how do I figure out whether
> the file capabilities bit is set? Well, use xattrs...which didn't return
> anything, so I was puzzled what exactly it should look like, but now that you
> explained that most binaries actually lack the file capabilities, I see the
> issue clearly :).
The commands you want to experiment with are "getcap" and "setcap" eg
# getcap qemu-system-x86_64
# setcap cap_dac_override=+ep qemu-system-x86_64
# getcap qemu-system-x86_64
qemu-system-x86_64 = cap_dac_override+ep
# setcap cap_dac_override= qemu-system-x86_64
# getcap qemu-system-x86_64
qemu-system-x86_64 =
# setcap -r qemu-system-x86_64
# getcap qemu-system-x86_64
#
> > +
> > ret = 0;
> > cleanup:
> > return ret;
> >
> >
> > though, we need a #ifdef check for existance of PR_CAP_AMBIENT
> >
> > > An alternative question I've been playing ever since we exchanged the last few
> > > emails is that can't we wait until the ioctls are compared against permissions
> > > in kernel so that upstream libvirt (and downstream too for that matter) doesn't
> > > have to work around it and stick with that workaround for eternity?
> >
> > IIUC, the SEV feature has already shipped with distros, so we'd effectively
> > be saying that what we already shipped is unusable to libvirt. This doesn't
> > feel like a desirable story to me.
>
> It was, but it never worked, it always has been broken in this way. When we
> were merging this upstream, we had a terrible shortage of machines and we had
> to share, so the first person to provision the machine had already taken care
> of the permissions in order to test so that led to this issue having been
> overlooked until now. If it ever worked as expected and then we broke it, then
> any fix from our side would make sense but otherwise I believe we should fix
> this bottom up.
Well technically it would work if libvirt was configured to run as
root:root, but yes, that is not a normal or recommended configuration.
Personally I have a preference for userspace solutions, as those are
pretty straightforward to roll out to people as patches in existing
releases. Deploying kernel updates is a higher bar to cross for an
existing release.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-01-30 10:37 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-18 9:39 [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities Erik Skultety
2019-01-18 10:16 ` Daniel P. Berrangé
2019-01-18 10:56 ` [Qemu-devel] [libvirt] " Erik Skultety
2019-01-18 11:11 ` [Qemu-devel] " Martin Kletzander
2019-01-18 11:17 ` Daniel P. Berrangé
2019-01-18 11:31 ` Martin Kletzander
2019-01-18 12:51 ` Singh, Brijesh
2019-01-23 12:55 ` Erik Skultety
2019-01-23 13:10 ` Daniel P. Berrangé
2019-01-23 13:22 ` Erik Skultety
2019-01-23 13:24 ` Daniel P. Berrangé
2019-01-23 13:33 ` Erik Skultety
2019-01-23 13:36 ` Daniel P. Berrangé
2019-01-23 15:02 ` Singh, Brijesh
2019-01-23 15:29 ` Erik Skultety
2019-01-29 16:15 ` Erik Skultety
2019-01-29 18:40 ` Daniel P. Berrangé
2019-01-30 8:06 ` Erik Skultety
2019-01-30 10:37 ` Daniel P. Berrangé [this message]
2019-01-30 13:39 ` Erik Skultety
2019-01-30 17:47 ` Singh, Brijesh
2019-01-30 18:18 ` Daniel P. Berrangé
2019-01-31 15:28 ` Erik Skultety
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190130103719.GF15904@redhat.com \
--to=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dinechin@redhat.com \
--cc=eskultet@redhat.com \
--cc=libvir-list@redhat.com \
--cc=mkletzan@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.