The problem with /dev/sev's default permissions (0600 root:root) is that we
can't make it more permissive at the moment otherwise we'd weaken the security
of SEV and potentially open the door for a DOS attack. Therefore, the
alternative approach is to set CAP_DAC_OVERRIDE capability for the probing QEMU
process (and *only* when probing) so that libvirt truly works with SEV. As a
necessary side job, this series also makes /dev/sev only available to machines
that need it, thus mitigating the possible attack surface even more.
Erik Skultety (5):
qemu: conf: Remove /dev/sev from the default cgroup device acl list
qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
qemu: domain: Add /dev/sev into the domain mount namespace selectively
security: dac: Relabel /dev/sev in the namespace
qemu: caps: Use CAP_DAC_OVERRIDE for probing to avoid permission
issues
docs/drvqemu.html.in | 2 +-
src/qemu/qemu.conf | 2 +-
src/qemu/qemu_capabilities.c | 11 +++++++
src/qemu/qemu_cgroup.c | 21 +++++++++++-
src/qemu/qemu_domain.c | 24 ++++++++++++++
src/qemu/test_libvirtd_qemu.aug.in | 1 -
src/security/security_dac.c | 51 ++++++++++++++++++++++++++++++
src/util/virutil.c | 31 ++++++++++++++++--
8 files changed, 137 insertions(+), 6 deletions(-)
--
2.20.1