diff options
| author |   Matthias Maier <tamiko@gentoo.org> | 2018-03-27 10:10:52 -0500 |
|---|---|---|
| committer | Matthias Maier <tamiko@gentoo.org> | 2018-03-27 10:44:04 -0500 |
| commit | 2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9 (patch) | |
| tree | 3a86f795a150620a8120b14f952a57cff5d9325e /app-emulation/qemu | |
| parent | app-emulation/qemu: drop obsolete file (diff) | |
| download | gentoo-2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9.tar.gz gentoo-2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9.tar.bz2 gentoo-2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9.zip | |
app-emulation/qemu: add rule to fix permissions on /dev/vfio/vfio
The device node /dev/vfio/vfio gets created on modprobing the vfio*
modules. This happens in particular on demand when a qemu vm with PCI
passthrough is started up. The default permissios for the freshly
created device node is
crw-rw-rw- 1 root root 10, 196 Mar 27 08:44 /dev/vfio/vfio
This is terrible.
This patch adds an udev rules and makes sure that the device node has rw
permissions for user root, and group kvm (and no permissions for all).
This fixes
- startup when a qemu-kvm is started as non-root (provided the user is
in group kvm, which is our current policy for accessing /dev/kvm, etc.,
anyway).
- work around this security vulnerability, where /dev/vfio/vfio is
created with world writable permissions upon modprobe. [1]
Thanks to username234, Kash Pande, Ted Rodgers for discovery and patch!
[1] Steps to reproduce:
% ls -la /dev/vfio/vfio
crw------- 1 root root 10, 196 Mar 27 15:40 /dev/vfio/vfio
% modprobe vfio
% ls -la /dev/vfio/vfio
crw-rw-rw- 1 root root 10, 196 Mar 27 15:41 /dev/vfio/vfio
[2] I cannot find an udev rule installed by libvirt/qemu/... that
triggers these permissions.
Bug: https://bugs.gentoo.org/651668
Package-Manager: Portage-2.3.24, Repoman-2.3.6
RepoMan-Options: --force
Diffstat (limited to 'app-emulation/qemu')
| -rw-r--r-- | app-emulation/qemu/files/65-vfio.rules | 2 | ||||
| -rw-r--r-- | app-emulation/qemu/qemu-2.11.1-r2.ebuild (renamed from app-emulation/qemu/qemu-2.11.1-r1.ebuild) | 1 |
2 files changed, 3 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/65-vfio.rules b/app-emulation/qemu/files/65-vfio.rules new file mode 100644 index 000000000000..099b655683de --- /dev/null +++ b/app-emulation/qemu/files/65-vfio.rules @@ -0,0 +1,2 @@ +SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" +KERNEL=="vfio", OWNER="root", GROUP="kvm", MODE="0660" diff --git a/app-emulation/qemu/qemu-2.11.1-r1.ebuild b/app-emulation/qemu/qemu-2.11.1-r2.ebuild index d0d85a2ac09a..1eea347cd1d0 100644 --- a/app-emulation/qemu/qemu-2.11.1-r1.ebuild +++ b/app-emulation/qemu/qemu-2.11.1-r2.ebuild @@ -679,6 +679,7 @@ src_install() { if use kernel_linux; then udev_newrules "${FILESDIR}"/65-kvm.rules-r1 65-kvm.rules + udev_newrules "${FILESDIR}"/65-vfio.rules 65-vfio.rules fi if use python; then |