Re: pci device assignment as non-root?

Thu, 15 Jan 2009 05:41:37 -0800 

Michael Tokarev wrote:

Hello!

I'm - finally - experimenting with PCI device assignment in
kvm-83, starting with something as simple as an internal dialup
modem (not softmodem) which uses no DMA and does not share IRQ
with other devices.

The thing works just fine, but only when run as root.  When
running as non-root, even after chmod'ing /sys/bus/pci/.../config
appropriately, it fails to activate the device in question:

$ kvm ... -pcidevice host=03:06.0 ...
Failed to assign irq for "03:06.0": Operation not permitted
Perhaps you are assigning a device that shares an IRQ with another device?

(No IRQ sharing here).

After looking at the source I found this in
x86/kvm_main.c:assigned_device_update_intx():

                if (!capable(CAP_SYS_RAWIO))
                        return -EPERM;

So basically it wants the user to have SYS_RAWIO capability to
assign the irq.  That's probably right, but it effectively makes
the whole thing root-only, because capability system is broken
on linux (it's  another long topic, what's relevant here is that
one can't grant any given capability to a given non-root process).
Even if it were solved and a non-root has SYS_RAWIO, it's better
to drop that capability after all the init stuff is done, following
the very good principle of least privilege (this is why I want to
run it as non-root to start with; it's more: on a production system
I'll restore permissions of the sysfs files after startup).

So it looks like some other trick is needed here (not cap_sys_rawio
but some traditional unix rwx thing), OR kvm binary has to be able
to drop privileges after all the init is done.
Dropping privileges is easy (well, need to account for all threads) but will not play well with hotplug. 


The latter SEEMS to be easy as it only involves userspace (it's ok
for me to start the whole thing as root as long as it drops privs,
I don't need to give certain PCI devices to arbitrary users), but
has its own issues.  Namely, I'd like kvm to open disk image files
and stuff like that as non-root too, since it's the only way to
force read-only opens currently.


Looks like we need -drive ...,access=readonly


--
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to