Re: [PATCH RFC v2 00/13] IOMMUFD Generic interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 23, 2022 at 10:46:21AM -0300, Jason Gunthorpe wrote:
> On Fri, Sep 23, 2022 at 02:35:20PM +0100, Daniel P. Berrangé wrote:
> > On Fri, Sep 23, 2022 at 10:29:41AM -0300, Jason Gunthorpe wrote:
> > > On Fri, Sep 23, 2022 at 09:54:48AM +0100, Daniel P. Berrangé wrote:
> > > 
> > > > Yes, we use cgroups extensively already.
> > > 
> > > Ok, I will try to see about this
> > > 
> > > Can you also tell me if the selinux/seccomp will prevent qemu from
> > > opening more than one /dev/vfio/vfio ? I suppose the answer is no?
> > 
> > I don't believe there's any restriction on the nubmer of open attempts,
> > its just a case of allowed or denied globally for the VM.
> 
> Ok
> 
> For iommufd we plan to have qemu accept a single already opened FD of
> /dev/iommu and so the selinux/etc would block all access to the
> chardev.

A selinux policy update would be needed to allow read()/write() for the
inherited FD, whle keeping open() blocked

> Can you tell me if the thing invoking qmeu that will open /dev/iommu
> will have CAP_SYS_RESOURCE ? I assume yes if it is already touching
> ulimits..

The privileged libvirtd runs with privs equiv to root, so all
capabilities are present.

The unprivileged libvirtd runs with same privs as your user account,
so no capabilities. I vaguely recall there was some way to enable
use of PCI passthrough for unpriv libvirtd, but needed a bunch of
admin setup steps ahead of time.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux