From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Erik Skultety <eskultet@redhat.com>
Cc: "Singh, Brijesh" <brijesh.singh@amd.com>,
"libvir-list@redhat.com" <libvir-list@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"dinechin@redhat.com" <dinechin@redhat.com>,
"mkletzan@redhat.com" <mkletzan@redhat.com>
Subject: Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities
Date: Wed, 30 Jan 2019 10:37:19 +0000 [thread overview]
Message-ID: <20190130103719.GF15904@redhat.com> (raw)
In-Reply-To: <20190130080630.GI5315@beluga.usersys.redhat.com>
On Wed, Jan 30, 2019 at 09:06:30AM +0100, Erik Skultety wrote:
> Thanks for ^this bit which helped me understand the bits below. When I read the
> man page yesterday the first question was, okay, how do I figure out whether
> the file capabilities bit is set? Well, use xattrs...which didn't return
> anything, so I was puzzled what exactly it should look like, but now that you
> explained that most binaries actually lack the file capabilities, I see the
> issue clearly :).
The commands you want to experiment with are "getcap" and "setcap" eg
# getcap qemu-system-x86_64
# setcap cap_dac_override=+ep qemu-system-x86_64
# getcap qemu-system-x86_64
qemu-system-x86_64 = cap_dac_override+ep
# setcap cap_dac_override= qemu-system-x86_64
# getcap qemu-system-x86_64
qemu-system-x86_64 =
# setcap -r qemu-system-x86_64
# getcap qemu-system-x86_64
#
> > +
> > ret = 0;
> > cleanup:
> > return ret;
> >
> >
> > though, we need a #ifdef check for existance of PR_CAP_AMBIENT
> >
> > > An alternative question I've been playing ever since we exchanged the last few
> > > emails is that can't we wait until the ioctls are compared against permissions
> > > in kernel so that upstream libvirt (and downstream too for that matter) doesn't
> > > have to work around it and stick with that workaround for eternity?
> >
> > IIUC, the SEV feature has already shipped with distros, so we'd effectively
> > be saying that what we already shipped is unusable to libvirt. This doesn't
> > feel like a desirable story to me.
>
> It was, but it never worked, it always has been broken in this way. When we
> were merging this upstream, we had a terrible shortage of machines and we had
> to share, so the first person to provision the machine had already taken care
> of the permissions in order to test so that led to this issue having been
> overlooked until now. If it ever worked as expected and then we broke it, then
> any fix from our side would make sense but otherwise I believe we should fix
> this bottom up.
Well technically it would work if libvirt was configured to run as
root:root, but yes, that is not a normal or recommended configuration.
Personally I have a preference for userspace solutions, as those are
pretty straightforward to roll out to people as patches in existing
releases. Deploying kernel updates is a higher bar to cross for an
existing release.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-01-30 10:37 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-18 9:39 [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities Erik Skultety
2019-01-18 10:16 ` Daniel P. Berrangé
2019-01-18 10:56 ` [Qemu-devel] [libvirt] " Erik Skultety
2019-01-18 11:11 ` [Qemu-devel] " Martin Kletzander
2019-01-18 11:17 ` Daniel P. Berrangé
2019-01-18 11:31 ` Martin Kletzander
2019-01-18 12:51 ` Singh, Brijesh
2019-01-23 12:55 ` Erik Skultety
2019-01-23 13:10 ` Daniel P. Berrangé
2019-01-23 13:22 ` Erik Skultety
2019-01-23 13:24 ` Daniel P. Berrangé
2019-01-23 13:33 ` Erik Skultety
2019-01-23 13:36 ` Daniel P. Berrangé
2019-01-23 15:02 ` Singh, Brijesh
2019-01-23 15:29 ` Erik Skultety
2019-01-29 16:15 ` Erik Skultety
2019-01-29 18:40 ` Daniel P. Berrangé
2019-01-30 8:06 ` Erik Skultety
2019-01-30 10:37 ` Daniel P. Berrangé [this message]
2019-01-30 13:39 ` Erik Skultety
2019-01-30 17:47 ` Singh, Brijesh
2019-01-30 18:18 ` Daniel P. Berrangé
2019-01-31 15:28 ` Erik Skultety
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190130103719.GF15904@redhat.com \
--to=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dinechin@redhat.com \
--cc=eskultet@redhat.com \
--cc=libvir-list@redhat.com \
--cc=mkletzan@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).