[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111220142907.30073.63730.stgit@bling.home>
Date: Tue, 20 Dec 2011 07:30:13 -0700
From: Alex Williamson <alex.williamson@...hat.com>
To: avi@...hat.com, kvm@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, jan.kiszka@...mens.com,
levinsasha928@...il.com
Subject: [PATCH v2 0/2] kvm: Lock down device assignment
v2: Update API documentation for each patch
Two patches to try to better secure the device assignment ioctl.
This firt patch makes KVM_DEV_ASSIGN_ENABLE_IOMMU a mandatory
option when assigning a device. I don't believe we have any
users of this option, so I think we can skip any deprecation
period, especially since it's existence is rather dangerous.
The second patch introduces some file permission checking that Avi
suggested. If a user has been granted read/write permission to
the PCI sysfs BAR resource files, this is a good indication that
they have access to the device. We can't call sys_faccessat
directly (not exported), but the important bits are self contained
enough to include directly. This still works with sudo and libvirt
usage, the latter already grants qemu permission to these files.
Thanks,
Alex
---
Alex Williamson (2):
kvm: Device assignment permission checks
kvm: Remove ability to assign a device without iommu support
Documentation/virtual/kvm/api.txt | 7 ++++
virt/kvm/assigned-dev.c | 73 ++++++++++++++++++++++++++++++++-----
2 files changed, 70 insertions(+), 10 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists