From 2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9 Mon Sep 17 00:00:00 2001 From: Matthias Maier Date: Tue, 27 Mar 2018 10:10:52 -0500 Subject: app-emulation/qemu: add rule to fix permissions on /dev/vfio/vfio The device node /dev/vfio/vfio gets created on modprobing the vfio* modules. This happens in particular on demand when a qemu vm with PCI passthrough is started up. The default permissios for the freshly created device node is crw-rw-rw- 1 root root 10, 196 Mar 27 08:44 /dev/vfio/vfio This is terrible. This patch adds an udev rules and makes sure that the device node has rw permissions for user root, and group kvm (and no permissions for all). This fixes - startup when a qemu-kvm is started as non-root (provided the user is in group kvm, which is our current policy for accessing /dev/kvm, etc., anyway). - work around this security vulnerability, where /dev/vfio/vfio is created with world writable permissions upon modprobe. [1] Thanks to username234, Kash Pande, Ted Rodgers for discovery and patch! [1] Steps to reproduce: % ls -la /dev/vfio/vfio crw------- 1 root root 10, 196 Mar 27 15:40 /dev/vfio/vfio % modprobe vfio % ls -la /dev/vfio/vfio crw-rw-rw- 1 root root 10, 196 Mar 27 15:41 /dev/vfio/vfio [2] I cannot find an udev rule installed by libvirt/qemu/... that triggers these permissions. Bug: https://bugs.gentoo.org/651668 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --force --- app-emulation/qemu/files/65-vfio.rules | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 app-emulation/qemu/files/65-vfio.rules (limited to 'app-emulation/qemu/files') diff --git a/app-emulation/qemu/files/65-vfio.rules b/app-emulation/qemu/files/65-vfio.rules new file mode 100644 index 000000000000..099b655683de --- /dev/null +++ b/app-emulation/qemu/files/65-vfio.rules @@ -0,0 +1,2 @@ +SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" +KERNEL=="vfio", OWNER="root", GROUP="kvm", MODE="0660" -- cgit v1.2.3-65-gdbad