From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: pci device assignment as non-root? Date: Thu, 15 Jan 2009 15:40:29 +0200 Message-ID: <496F3CCD.3040603@redhat.com> References: <496F1C20.5050309@msgid.tls.msk.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "kvm@vger.kernel.org" To: Michael Tokarev Return-path: Received: from mx2.redhat.com ([66.187.237.31]:41177 "EHLO mx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1764933AbZAONkl (ORCPT ); Thu, 15 Jan 2009 08:40:41 -0500 In-Reply-To: <496F1C20.5050309@msgid.tls.msk.ru> Sender: kvm-owner@vger.kernel.org List-ID: Michael Tokarev wrote: > Hello! > > I'm - finally - experimenting with PCI device assignment in > kvm-83, starting with something as simple as an internal dialup > modem (not softmodem) which uses no DMA and does not share IRQ > with other devices. > > The thing works just fine, but only when run as root. When > running as non-root, even after chmod'ing /sys/bus/pci/.../config > appropriately, it fails to activate the device in question: > > $ kvm ... -pcidevice host=03:06.0 ... > Failed to assign irq for "03:06.0": Operation not permitted > Perhaps you are assigning a device that shares an IRQ with another device? > > (No IRQ sharing here). > > After looking at the source I found this in > x86/kvm_main.c:assigned_device_update_intx(): > > if (!capable(CAP_SYS_RAWIO)) > return -EPERM; > > So basically it wants the user to have SYS_RAWIO capability to > assign the irq. That's probably right, but it effectively makes > the whole thing root-only, because capability system is broken > on linux (it's another long topic, what's relevant here is that > one can't grant any given capability to a given non-root process). > Even if it were solved and a non-root has SYS_RAWIO, it's better > to drop that capability after all the init stuff is done, following > the very good principle of least privilege (this is why I want to > run it as non-root to start with; it's more: on a production system > I'll restore permissions of the sysfs files after startup). > > So it looks like some other trick is needed here (not cap_sys_rawio > but some traditional unix rwx thing), OR kvm binary has to be able > to drop privileges after all the init is done. > Dropping privileges is easy (well, need to account for all threads) but will not play well with hotplug. > The latter SEEMS to be easy as it only involves userspace (it's ok > for me to start the whole thing as root as long as it drops privs, > I don't need to give certain PCI devices to arbitrary users), but > has its own issues. Namely, I'd like kvm to open disk image files > and stuff like that as non-root too, since it's the only way to > force read-only opens currently. > Looks like we need -drive ...,access=readonly -- error compiling committee.c: too many arguments to function