Avi Kivity wrote: > Michael Tokarev wrote: [] >> After looking at the source I found this in >> x86/kvm_main.c:assigned_device_update_intx(): >> >> if (!capable(CAP_SYS_RAWIO)) >> return -EPERM; [] >> So it looks like some other trick is needed here (not cap_sys_rawio >> but some traditional unix rwx thing), OR kvm binary has to be able >> to drop privileges after all the init is done. > > Dropping privileges is easy (well, need to account for all threads) but > will not play well with hotplug.
It's either one or another for sure. Personally I use kvm as a sort of security tool, to run various untrusted stuff inside guests. For that, hotplug, while sometimes useful to have, isn't at all required, and if there's a choice between hotplug and stronger security I'll definitely prefer the latter. And sure thing having a choice is good in any case -- now there's just no choice. But maybe there's some other option to achieve similar effect, i.e. to be able to open and initialize some (PCI/USB/network) at startup without keeping root (or various CAP_*) all the time? >> The latter SEEMS to be easy as it only involves userspace (it's ok >> for me to start the whole thing as root as long as it drops privs, >> I don't need to give certain PCI devices to arbitrary users), but >> has its own issues. Namely, I'd like kvm to open disk image files >> and stuff like that as non-root too, since it's the only way to >> force read-only opens currently. > > Looks like we need -drive ...,access=readonly Yeah, that'd be good too. Speaking of which, there's still a bug somewhere that causes a guest to hang in case it tries to write to a virtual drive open in read-only mode. It *is* a bug, because it's pretty normal for various real drives to be read-only (trivial example is write-protected floppy drive; many scsi drives has read-only flag which can be turned on/off using hdparm or sdparm), and with real drives on real hardware there's no hangs of this sort, the system correctly recognizes read-only media without hanging on an attempt to write. Thanks! /mjt -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
