[libvirt] CAP_SYS_RAWIO missing for qemu-kvm device passthrough
Hi, I'm running current git libvirt on Fedora 13 beta. I enabled the use of libcap-ng as it is done in the regular F13 .spec. When I now pass a pci card through to a qemu-kvm guest using vt-d I get this error from qemu-kvm: Failed to assign irq for "hostdev0": Operation not permitted Perhaps you are assigning a device that shares an IRQ with another device? I'm running qemu-kvm as root. But that doesn't seem to be enough: I traced the issue down to a missing CAP_SYS_RAWIO.The kvm kernel module requires CAP_SYS_RAWIO to use the KVM_ASSIGN_DEV_IRQ ioctl. When I remove the capability-dropping from libvirt like this everything works as expected: --- libvirt/src/qemu/qemu_driver.c 2010-05-13 22:50:13.000000000 +0200 +++ libvirt.new/src/qemu/qemu_driver.c 2010-05-13 23:18:49.286311290 +0200 @@ -3359,7 +3359,7 @@ ret = virExecDaemonize(argv, progenv, &keepfd, &child, stdin_fd, &logfile, &logfile, - VIR_EXEC_NONBLOCK | VIR_EXEC_CLEAR_CAPS, + VIR_EXEC_NONBLOCK, qemudSecurityHook, &hookData, pidfile); VIR_FREE(pidfile); Is there a better solution to get device passthrough to work? Kind regards, Gerd
* Gerd v. Egidy (lists@egidy.de) wrote:
Hi,
I'm running current git libvirt on Fedora 13 beta. I enabled the use of libcap-ng as it is done in the regular F13 .spec.
When I now pass a pci card through to a qemu-kvm guest using vt-d I get this error from qemu-kvm:
Failed to assign irq for "hostdev0": Operation not permitted Perhaps you are assigning a device that shares an IRQ with another device?
I'm running qemu-kvm as root. But that doesn't seem to be enough:
I traced the issue down to a missing CAP_SYS_RAWIO.The kvm kernel module requires CAP_SYS_RAWIO to use the KVM_ASSIGN_DEV_IRQ ioctl.
There is some pending work in KVM to deal with this. It simply removes CAP_SYS_RAWIO. Need to finish auditing this. Dropping all but CAP_SYS_RAWIO in libvirt isn't a good final solution since it drastically undermines the value of dropping privileges. thanks, -chris
Hi Chris,
I traced the issue down to a missing CAP_SYS_RAWIO.The kvm kernel module requires CAP_SYS_RAWIO to use the KVM_ASSIGN_DEV_IRQ ioctl.
There is some pending work in KVM to deal with this. It simply removes CAP_SYS_RAWIO. Need to finish auditing this.
Thanks for confirming the issue.
Dropping all but CAP_SYS_RAWIO in libvirt isn't a good final solution since it drastically undermines the value of dropping privileges.
Wouldn't it make sense to do just that as a temporary solution until the real fix is finished? Without a fix for this issue, Fedora 13 will, when released, not be able to do pci device passthrough or SR-IOV. This is a regression from F12, where SR-IOV was one of the key features (like device passthrough was in F11). Kind regards, Gerd
* Gerd v. Egidy (lists@egidy.de) wrote:
Hi Chris,
I traced the issue down to a missing CAP_SYS_RAWIO.The kvm kernel module requires CAP_SYS_RAWIO to use the KVM_ASSIGN_DEV_IRQ ioctl.
There is some pending work in KVM to deal with this. It simply removes CAP_SYS_RAWIO. Need to finish auditing this.
Thanks for confirming the issue.
Dropping all but CAP_SYS_RAWIO in libvirt isn't a good final solution since it drastically undermines the value of dropping privileges.
Wouldn't it make sense to do just that as a temporary solution until the real fix is finished?
Without a fix for this issue, Fedora 13 will, when released, not be able to do pci device passthrough or SR-IOV. This is a regression from F12, where SR-IOV was one of the key features (like device passthrough was in F11).
There's another issue w/ CAP_SYS_ADMIN. At that point we may as well not drop any privileges. So, best is to fix the issues. thanks, -chris
On Fri, May 14, 2010 at 12:24:13AM +0200, Gerd v. Egidy wrote:
Hi Chris,
I traced the issue down to a missing CAP_SYS_RAWIO.The kvm kernel module requires CAP_SYS_RAWIO to use the KVM_ASSIGN_DEV_IRQ ioctl.
There is some pending work in KVM to deal with this. It simply removes CAP_SYS_RAWIO. Need to finish auditing this.
Thanks for confirming the issue.
Dropping all but CAP_SYS_RAWIO in libvirt isn't a good final solution since it drastically undermines the value of dropping privileges.
Wouldn't it make sense to do just that as a temporary solution until the real fix is finished?
No, giving QEMU capabilities in this way seriously undermines the security of the host for all users regardless of whether they actually use SR-IOV. The kernel needs fixing. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
participants (3)
-
Chris Wright -
Daniel P. Berrange -
Gerd v. Egidy