Re: [libvirt] CAP_SYS_RAWIO missing for qemu-kvm device passthrough
On Fri, May 14, 2010 at 12:24:13AM +0200, Gerd v. Egidy wrote:
Hi Chris,
> > I traced the issue down to a missing CAP_SYS_RAWIO.The kvm kernel module
> > requires CAP_SYS_RAWIO to use the KVM_ASSIGN_DEV_IRQ ioctl.
>
> There is some pending work in KVM to deal with this. It simply removes
> CAP_SYS_RAWIO. Need to finish auditing this.
Thanks for confirming the issue.
> Dropping all but
> CAP_SYS_RAWIO in libvirt isn't a good final solution since it
> drastically undermines the value of dropping privileges.
Wouldn't it make sense to do just that as a temporary solution until the real
fix is finished?
No, giving QEMU capabilities in this way seriously undermines the security
of the host for all users regardless of whether they actually use SR-IOV.
The kernel needs fixing.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|