Re: [PATCH 0/2] kvm: Lock down device assignment

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Avi Kivity <avi@redhat.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	jan.kiszka@siemens.com
Subject: Re: [PATCH 0/2] kvm: Lock down device assignment
Date: Tue, 20 Dec 2011 11:23:06 +0200	[thread overview]
Message-ID: <4EF053FA.2020009@redhat.com> (raw)
In-Reply-To: <20111220030826.11829.9141.stgit@bling.home>

On 12/20/2011 05:19 AM, Alex Williamson wrote:
> Two patches to try to better secure the device assignment ioctl.
> This firt patch makes KVM_DEV_ASSIGN_ENABLE_IOMMU a mandatory
> option when assigning a device.  I don't believe we have any
> users of this option, so I think we can skip any deprecation
> period, especially since it's existence is rather dangerous.
>
> The second patch introduces some file permission checking that Avi
> suggested.  If a user has been granted read/write permission to
> the PCI sysfs BAR resource files, this is a good indication that
> they have access to the device.  We can't call sys_faccessat
> directly (not exported), but the important bits are self contained
> enough to include directly.  This still works with sudo and libvirt
> usage, the latter already grants qemu permission to these files.
> Thanks,
>
>

Looks good, but please update the API documentation.

-- 
error compiling committee.c: too many arguments to function

     prev parent reply	other threads:[~2011-12-20  9:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-20  3:19 [PATCH 0/2] kvm: Lock down device assignment Alex Williamson
2011-12-20  3:19 ` [PATCH 1/2] kvm: Remove ability to assign a device without iommu support Alex Williamson
2011-12-20  8:49   ` Sasha Levin
2011-12-20  9:03     ` Jan Kiszka
2011-12-20  9:08       ` Sasha Levin
2011-12-20  9:12         ` Jan Kiszka
2011-12-20  9:14           ` Avi Kivity
2011-12-20 14:28         ` Alex Williamson
2011-12-20  9:19   ` Avi Kivity
2011-12-20  3:19 ` [PATCH 2/2] kvm: Device assignment permission checks Alex Williamson
2011-12-20  9:23 ` Avi Kivity [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EF053FA.2020009@redhat.com \
    --to=avi@redhat.com \
    --cc=alex.williamson@redhat.com \
    --cc=jan.kiszka@siemens.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.