Re: [PATCH 2/2] pci: allow sysfs file owner to read device dependent config space

[Daniel P. Berrange]

On Thu, May 13, 2010 at 01:56:53PM +0300, Avi Kivity wrote:
> On 05/13/2010 04:29 AM, Chris Wright wrote:
> >The PCI config space bin_attr read handler has a hardcoded CAP_SYS_ADMIN
> >check to verify privileges before allowing a user to read device
> >dependent config space.  This is meant to protect from an unprivileged
> >user potentially locking up the box.
> >
> >When assigning a PCI device directly to a guest with libvirt and KVM,
> >the sysfs config space file is chown'd to the unprivileged user that
> >the KVM guest will run as.  The guest needs to have full access to the
> >device's config space since it's responsible for driving the device.
> >However, despite being the owner of the sysfs file, the CAP_SYS_ADMIN
> >check will not allow read access beyond the config header.
> >
> >With this patch the sysfs file owner is also considered privileged enough
> >to read all of the config space.
> >
> >   
> 
> Related questions:
> 
> - does sysfs support selinux labels?

With a recent enough kernel + selinux policy it does.

Regards,
Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/