| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1222343711-12508-9-git-send-email-avi@redhat.com>
Date: Thu, 25 Sep 2008 14:54:40 +0300
From: Avi Kivity <avi@...hat.com>
To: linux-kernel@...r.kernel.org
Cc: kvm@...r.kernel.org, Amit Shah <amit.shah@...ranet.com>
Subject: [PATCH 08/39] KVM: Device assignment: Check for privileges before assigning irq
From: Amit Shah <amit.shah@...ranet.com>
Even though we don't share irqs at the moment, we should ensure
regular user processes don't try to allocate system resources.
We check for capability to access IO devices (CAP_SYS_RAWIO) before
we request_irq on behalf of the guest.
Noticed by Avi.
Signed-off-by: Amit Shah <amit.shah@...ranet.com>
Signed-off-by: Avi Kivity <avi@...ranet.com>
---
arch/x86/kvm/x86.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4a03375..fffdf4f 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -191,6 +191,11 @@ static int kvm_vm_ioctl_assign_irq(struct kvm *kvm,
kvm_assigned_dev_interrupt_work_handler);
if (irqchip_in_kernel(kvm)) {
+ if (!capable(CAP_SYS_RAWIO)) {
+ return -EPERM;
+ goto out;
+ }
+
if (assigned_irq->host_irq)
match->host_irq = assigned_irq->host_irq;
else
--
1.6.0.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists