* Daniel P. Berrange (berrange@xxxxxxxxxx) wrote: > On Thu, Jan 07, 2010 at 04:50:03PM -0800, Chris Wright wrote: > > Basically, this means that device assignment w/ libvirt will break > > MSI/MSI-X because qemu will never be able to see that the host device > > has those PCI capabilities. This, in turn, renders VF device assignment > > useless (since a VF is required to support MSI and/or MSI-X). > > > > Granting CAP_SYS_ADMIN for each qemu instance that does device assignment > > would render the privilege reduction useless (CAP_SYS_ADMIN is the > > kitchen sink catchall of the Linux capability system). > > Yeah that's pretty troublesome, even when libvirt runs QEMU as 'root', it will > remove all capabilities. Why is the 'CAP_SYS_ADMIN' check there - is it a > mistakenly over-zealous permission check that could be removed, just relying > on access controls on the sysfs /sys/bus/pci/devices/<DEVICE>/config > file ? Tools like lspci expect the ability to read a pci function's config space header. In the past there have been devices that wedge when reading areas of device dependent config space that are not implemented, so this portion of config space is protected (hence the need for privileges to do lspci -v). thanks, -chris -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list