From: Avi Kivity <avi@redhat.com>
To: Chris Wright <chrisw@sous-sol.org>
Cc: greg@kroah.com, jbarnes@virtuousgeek.org, matthew@wil.cx,
linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, ddutile@redhat.com,
alex.williamson@redhat.com
Subject: Re: [PATCH 2/2] pci: allow sysfs file owner to read device dependent config space
Date: Thu, 13 May 2010 13:56:53 +0300 [thread overview]
Message-ID: <4BEBDAF5.3020004@redhat.com> (raw)
In-Reply-To: <20100513012957.GB28034@sequoia.sous-sol.org>
On 05/13/2010 04:29 AM, Chris Wright wrote:
> The PCI config space bin_attr read handler has a hardcoded CAP_SYS_ADMIN
> check to verify privileges before allowing a user to read device
> dependent config space. This is meant to protect from an unprivileged
> user potentially locking up the box.
>
> When assigning a PCI device directly to a guest with libvirt and KVM,
> the sysfs config space file is chown'd to the unprivileged user that
> the KVM guest will run as. The guest needs to have full access to the
> device's config space since it's responsible for driving the device.
> However, despite being the owner of the sysfs file, the CAP_SYS_ADMIN
> check will not allow read access beyond the config header.
>
> With this patch the sysfs file owner is also considered privileged enough
> to read all of the config space.
>
>
Related questions:
- does sysfs support selinux labels?
- what about iommu?
So we give a user privileges to access a device. But if we don't
enforce iommu protection, you're giving the user access to the entire
system.
With kvm, qemu wraps the device with an iommu, but this is less secure
than it might be. Better to have a privileged process open the device,
irrevocably wrap it with an iommu, and pass the wrapped fd to qemu.
This is probably best done with uio, but it means all device access
needs to be available through the uio fd, including pci config space access.
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2010-05-13 10:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-13 1:28 [PATCH 1/2] sysfs: add struct file* to bin_attr callbacks Chris Wright
2010-05-13 1:29 ` [PATCH 2/2] pci: allow sysfs file owner to read device dependent config space Chris Wright
2010-05-13 9:59 ` Alan Cox
2010-05-13 15:05 ` Chris Wright
2010-05-13 17:43 ` [PATCH 2/2 v2] pci: check caps from sysfs file open " Chris Wright
2010-05-13 19:06 ` Greg KH
2010-05-13 19:16 ` Chris Wright
2010-05-13 10:56 ` Avi Kivity [this message]
2010-05-13 11:02 ` [PATCH 2/2] pci: allow sysfs file owner " Daniel P. Berrange
2010-05-14 19:09 ` Greg KH
2010-05-14 19:26 ` Jesse Barnes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BEBDAF5.3020004@redhat.com \
--to=avi@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=ddutile@redhat.com \
--cc=greg@kroah.com \
--cc=jbarnes@virtuousgeek.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=matthew@wil.cx \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).