From: Avi Kivity <avi@redhat.com>
To: Chris Wright <chrisw@redhat.com>
Cc: Sasha Levin <levinsasha928@gmail.com>, kvm <kvm@vger.kernel.org>,
Alex Williamson <Alex.Williamson@redhat.com>
Subject: Re: KVM device assignment and user privileges
Date: Mon, 21 Nov 2011 10:32:05 +0200 [thread overview]
Message-ID: <4ECA0C85.3090805@redhat.com> (raw)
In-Reply-To: <20111121044216.GD7163@x200.localdomain>
On 11/21/2011 06:42 AM, Chris Wright wrote:
> * Avi Kivity (avi@redhat.com) wrote:
> > On 11/20/2011 04:58 PM, Sasha Levin wrote:
> > > Hi all,
> > >
> > > I've been working on adding device assignment to KVM tools, and started
> > > with the basics of just getting a device assigned using the
> > > KVM_ASSIGN_PCI_DEVICE ioctl.
> > >
> > > What I've figured is that unprivileged users can request any PCI device
> > > to be assigned to him, including devices which he shouldn't be touching.
> > >
> > > In my case, it happened with the VGA card, where an unprivileged user
> > > simply called KVM_ASSIGN_PCI_DEVICE with the bus, seg and fn of the VGA
> > > card and caused the display on the host to go apeshit.
> > >
> > > Was it supposed to work this way?
> >
> > No, of course not.
>
> Indeed. A device is typically owned by a host OS driver which precludes
> device assignment from working. If it's not, the unprivilged guest
> will not have access to the device's config space or resource bars as
> they are only rw for a privileged user. And similarly, /dev/kvm was
> typically left as 0644. As you can see, it's fragile.
>
> > > I couldn't find any security checks in
> > > the code paths of KVM_ASSIGN_PCI_DEVICE and it looks like any user can
> > > invoke it with any parameters he'd want - enabling him to kill the host.
> >
> > Alex, Chris?
>
> The security checks were removed some time back. The expectation was
> that there was nothing an unprivleged user could usefully do w/ the
> assign device ioctl, and the assign irq ioctl only works after assign
> device. It's built on an overly fragile set of assumptions, however.
> Avi, the simplest short term thing to do now might be simply revert:
>
> 48bb09e KVM: remove CAP_SYS_RAWIO requirement from kvm_vm_ioctl_assign_irq
That does nothing for for the KVM_ASSIGN_PCI_DEVICE ioctl.
> While it's a regression for existing unprivileged users it's better than
> a hole. And in the meantime, we can come up w/ something better to
> replace with.
How about doing an access(2) equivalent check for one of the sysfs files
used to represent the device? If libvirt already chowns them to the
right user, then we have no regression, at least for that use case.
--
error compiling committee.c: too many arguments to function
prev parent reply other threads:[~2011-11-21 8:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-20 14:58 KVM device assignment and user privileges Sasha Levin
2011-11-20 15:15 ` Avi Kivity
2011-11-21 4:42 ` Chris Wright
2011-11-21 8:32 ` Avi Kivity [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ECA0C85.3090805@redhat.com \
--to=avi@redhat.com \
--cc=Alex.Williamson@redhat.com \
--cc=chrisw@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=levinsasha928@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).