From: Avi Kivity <avi@redhat.com>
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>
Subject: Re: pci device assignment as non-root?
Date: Thu, 15 Jan 2009 15:40:29 +0200 [thread overview]
Message-ID: <496F3CCD.3040603@redhat.com> (raw)
In-Reply-To: <496F1C20.5050309@msgid.tls.msk.ru>
Michael Tokarev wrote:
> Hello!
>
> I'm - finally - experimenting with PCI device assignment in
> kvm-83, starting with something as simple as an internal dialup
> modem (not softmodem) which uses no DMA and does not share IRQ
> with other devices.
>
> The thing works just fine, but only when run as root. When
> running as non-root, even after chmod'ing /sys/bus/pci/.../config
> appropriately, it fails to activate the device in question:
>
> $ kvm ... -pcidevice host=03:06.0 ...
> Failed to assign irq for "03:06.0": Operation not permitted
> Perhaps you are assigning a device that shares an IRQ with another device?
>
> (No IRQ sharing here).
>
> After looking at the source I found this in
> x86/kvm_main.c:assigned_device_update_intx():
>
> if (!capable(CAP_SYS_RAWIO))
> return -EPERM;
>
> So basically it wants the user to have SYS_RAWIO capability to
> assign the irq. That's probably right, but it effectively makes
> the whole thing root-only, because capability system is broken
> on linux (it's another long topic, what's relevant here is that
> one can't grant any given capability to a given non-root process).
> Even if it were solved and a non-root has SYS_RAWIO, it's better
> to drop that capability after all the init stuff is done, following
> the very good principle of least privilege (this is why I want to
> run it as non-root to start with; it's more: on a production system
> I'll restore permissions of the sysfs files after startup).
>
> So it looks like some other trick is needed here (not cap_sys_rawio
> but some traditional unix rwx thing), OR kvm binary has to be able
> to drop privileges after all the init is done.
>
Dropping privileges is easy (well, need to account for all threads) but
will not play well with hotplug.
> The latter SEEMS to be easy as it only involves userspace (it's ok
> for me to start the whole thing as root as long as it drops privs,
> I don't need to give certain PCI devices to arbitrary users), but
> has its own issues. Namely, I'd like kvm to open disk image files
> and stuff like that as non-root too, since it's the only way to
> force read-only opens currently.
>
Looks like we need -drive ...,access=readonly
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2009-01-15 13:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-15 11:21 pci device assignment as non-root? Michael Tokarev
2009-01-15 13:40 ` Avi Kivity [this message]
2009-01-15 15:28 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=496F3CCD.3040603@redhat.com \
--to=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=mjt@tls.msk.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.