On Thu, May 13, 2010 at 01:56:53PM +0300, Avi Kivity wrote: > On 05/13/2010 04:29 AM, Chris Wright wrote: > >The PCI config space bin_attr read handler has a hardcoded CAP_SYS_ADMIN > >check to verify privileges before allowing a user to read device > >dependent config space. This is meant to protect from an unprivileged > >user potentially locking up the box. > > > >When assigning a PCI device directly to a guest with libvirt and KVM, > >the sysfs config space file is chown'd to the unprivileged user that > >the KVM guest will run as. The guest needs to have full access to the > >device's config space since it's responsible for driving the device. > >However, despite being the owner of the sysfs file, the CAP_SYS_ADMIN > >check will not allow read access beyond the config header. > > > >With this patch the sysfs file owner is also considered privileged enough > >to read all of the config space. > > > > > > Related questions: > > - does sysfs support selinux labels? With a recent enough kernel + selinux policy it does. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
