[PATCH] KVM: Device assignment: Check for privileges before assigning irq

Amit Shah Wed, 13 Aug 2008 06:22:48 -0700

Even though we don't share irqs at the moment, we should ensure
regular user processes don't try to allocate system resources.


We check for capability to access IO devices (CAP_SYS_RAWIO) before
we request_irq on behalf of the guest.

Noticed by Avi.

Signed-off-by: Amit Shah <[EMAIL PROTECTED]>
---
 arch/x86/kvm/x86.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ee005a6..fb32c3d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -191,6 +191,11 @@ static int kvm_vm_ioctl_assign_irq(struct kvm *kvm,
                  kvm_assigned_dev_interrupt_work_handler);
 
        if (irqchip_in_kernel(kvm)) {
+               if (!capable(CAP_SYS_RAWIO)) {
+                       return -EPERM;
+                       goto out;
+               }
+
                if (assigned_irq->host_irq)
                        match->host_irq = assigned_irq->host_irq;
                else
-- 
1.5.6.5

--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] KVM: Device assignment: Check for privileges before assigning irq

Reply via email to