From: Avi Kivity <avi@redhat.com>
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>
Subject: Re: pci device assignment as non-root?
Date: Thu, 15 Jan 2009 15:40:29 +0200 [thread overview]
Message-ID: <496F3CCD.3040603@redhat.com> (raw)
In-Reply-To: <496F1C20.5050309@msgid.tls.msk.ru>
Michael Tokarev wrote:
> Hello!
>
> I'm - finally - experimenting with PCI device assignment in
> kvm-83, starting with something as simple as an internal dialup
> modem (not softmodem) which uses no DMA and does not share IRQ
> with other devices.
>
> The thing works just fine, but only when run as root. When
> running as non-root, even after chmod'ing /sys/bus/pci/.../config
> appropriately, it fails to activate the device in question:
>
> $ kvm ... -pcidevice host=03:06.0 ...
> Failed to assign irq for "03:06.0": Operation not permitted
> Perhaps you are assigning a device that shares an IRQ with another device?
>
> (No IRQ sharing here).
>
> After looking at the source I found this in
> x86/kvm_main.c:assigned_device_update_intx():
>
> if (!capable(CAP_SYS_RAWIO))
> return -EPERM;
>
> So basically it wants the user to have SYS_RAWIO capability to
> assign the irq. That's probably right, but it effectively makes
> the whole thing root-only, because capability system is broken
> on linux (it's another long topic, what's relevant here is that
> one can't grant any given capability to a given non-root process).
> Even if it were solved and a non-root has SYS_RAWIO, it's better
> to drop that capability after all the init stuff is done, following
> the very good principle of least privilege (this is why I want to
> run it as non-root to start with; it's more: on a production system
> I'll restore permissions of the sysfs files after startup).
>
> So it looks like some other trick is needed here (not cap_sys_rawio
> but some traditional unix rwx thing), OR kvm binary has to be able
> to drop privileges after all the init is done.
>
Dropping privileges is easy (well, need to account for all threads) but
will not play well with hotplug.
> The latter SEEMS to be easy as it only involves userspace (it's ok
> for me to start the whole thing as root as long as it drops privs,
> I don't need to give certain PCI devices to arbitrary users), but
> has its own issues. Namely, I'd like kvm to open disk image files
> and stuff like that as non-root too, since it's the only way to
> force read-only opens currently.
>
Looks like we need -drive ...,access=readonly
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2009-01-15 13:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-15 11:21 pci device assignment as non-root? Michael Tokarev
2009-01-15 13:40 ` Avi Kivity [this message]
2009-01-15 15:28 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=496F3CCD.3040603@redhat.com \
--to=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=mjt@tls.msk.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox