Re: [PATCH v3 0/3] vduse: add support for networking devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Aug 30, 2023 at 01:27:18PM +0200, Maxime Coquelin wrote:
> 
> 
> On 8/29/23 19:05, Michael S. Tsirkin wrote:
> > On Tue, Aug 29, 2023 at 03:34:06PM +0200, Maxime Coquelin wrote:
> > > 
> > > 
> > > On 8/11/23 00:00, Jakub Kicinski wrote:
> > > > On Thu, 10 Aug 2023 17:42:11 -0400 Michael S. Tsirkin wrote:
> > > > > > Directly into the stack? I thought VDUSE is vDPA in user space,
> > > > > > meaning to get to the kernel the packet has to first go thru
> > > > > > a virtio-net instance.
> > > > > 
> > > > > yes. is that a sufficient filter in your opinion?
> > > > 
> > > > Yes, the ability to create the device feels stronger than CAP_NET_RAW,
> > > > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical
> > > > experience with virt so no strong opinion, perhaps it does make sense
> > > > for someone's deployment? Dunno..
> > > > 
> > > 
> > > I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE
> > > devices, as the device could be attached to vhost-vDPA and so not
> > > visible to the Kernel networking stack.
> > > 
> > > However, CAP_NET_ADMIN should be required to attach the VDUSE device to
> > > virtio-vdpa/virtio-net.
> > > 
> > > Does that make sense?
> > > 
> > > Maxime
> > 
> > OK. How are we going to enforce it?
> 
> Actually, it seems already enforced for all VDPA devices types.
> Indeed, the VDPA_CMD_DEV_NEW Netlink command used to add the device to
> the VDPA bus has the GENL_ADMIN_PERM flag set, and so require
> CAT_NET_ADMIN.

Hmm good point. Pity I didn't notice earlier. Oh well there's always
the next release.

> > Also, we need a way for selinux to enable/disable some of these things
> > but not others.
> 
> Ok, I can do it in a patch on top.
> Do you have a pointer where it is done for Virtio Block devices?
> 
> Maxime

It's not done yet - at the moment vduse device is always block so we
didn't need the distinction.

-- 
MST

_______________________________________________
Virtualization mailing list
Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
[Index of Archives]     [KVM Development]     [Libvirt Development]     [Libvirt Users]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux