From: "Matthias Maier" <tamiko@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/, app-emulation/qemu/
Date: Tue, 27 Mar 2018 15:44:26 +0000 (UTC) [thread overview]
Message-ID: <1522165444.2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9.tamiko@gentoo> (raw)
commit: 2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 27 15:10:52 2018 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Tue Mar 27 15:44:04 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fc1bc6c
app-emulation/qemu: add rule to fix permissions on /dev/vfio/vfio
The device node /dev/vfio/vfio gets created on modprobing the vfio*
modules. This happens in particular on demand when a qemu vm with PCI
passthrough is started up. The default permissios for the freshly
created device node is
crw-rw-rw- 1 root root 10, 196 Mar 27 08:44 /dev/vfio/vfio
This is terrible.
This patch adds an udev rules and makes sure that the device node has rw
permissions for user root, and group kvm (and no permissions for all).
This fixes
- startup when a qemu-kvm is started as non-root (provided the user is
in group kvm, which is our current policy for accessing /dev/kvm, etc.,
anyway).
- work around this security vulnerability, where /dev/vfio/vfio is
created with world writable permissions upon modprobe. [1]
Thanks to username234, Kash Pande, Ted Rodgers for discovery and patch!
[1] Steps to reproduce:
% ls -la /dev/vfio/vfio
crw------- 1 root root 10, 196 Mar 27 15:40 /dev/vfio/vfio
% modprobe vfio
% ls -la /dev/vfio/vfio
crw-rw-rw- 1 root root 10, 196 Mar 27 15:41 /dev/vfio/vfio
[2] I cannot find an udev rule installed by libvirt/qemu/... that
triggers these permissions.
Bug: https://bugs.gentoo.org/651668
Package-Manager: Portage-2.3.24, Repoman-2.3.6
RepoMan-Options: --force
app-emulation/qemu/files/65-vfio.rules | 2 ++
app-emulation/qemu/{qemu-2.11.1-r1.ebuild => qemu-2.11.1-r2.ebuild} | 1 +
2 files changed, 3 insertions(+)
diff --git a/app-emulation/qemu/files/65-vfio.rules b/app-emulation/qemu/files/65-vfio.rules
new file mode 100644
index 00000000000..099b655683d
--- /dev/null
+++ b/app-emulation/qemu/files/65-vfio.rules
@@ -0,0 +1,2 @@
+SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm"
+KERNEL=="vfio", OWNER="root", GROUP="kvm", MODE="0660"
diff --git a/app-emulation/qemu/qemu-2.11.1-r1.ebuild b/app-emulation/qemu/qemu-2.11.1-r2.ebuild
similarity index 99%
rename from app-emulation/qemu/qemu-2.11.1-r1.ebuild
rename to app-emulation/qemu/qemu-2.11.1-r2.ebuild
index d0d85a2ac09..1eea347cd1d 100644
--- a/app-emulation/qemu/qemu-2.11.1-r1.ebuild
+++ b/app-emulation/qemu/qemu-2.11.1-r2.ebuild
@@ -679,6 +679,7 @@ src_install() {
if use kernel_linux; then
udev_newrules "${FILESDIR}"/65-kvm.rules-r1 65-kvm.rules
+ udev_newrules "${FILESDIR}"/65-vfio.rules 65-vfio.rules
fi
if use python; then
next reply other threads:[~2018-03-27 15:44 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-27 15:44 Matthias Maier [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-04-29 2:38 [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/, app-emulation/qemu/ Sam James
2023-07-02 23:35 Sam James
2023-07-02 23:01 Sam James
2023-05-18 21:07 Matthias Maier
2023-05-05 18:11 Matthias Maier
2023-02-21 6:50 Sam James
2023-02-04 16:46 Andreas K. Hüttel
2022-12-08 1:22 John Helmert III
2022-11-12 19:43 Andreas K. Hüttel
2022-09-27 17:31 John Helmert III
2022-08-03 18:21 Sam James
2022-07-05 1:05 WANG Xuerui
2022-06-04 3:01 Sam James
2022-05-22 15:59 John Helmert III
2022-03-29 5:38 Sam James
2022-01-01 1:22 John Helmert III
2021-12-21 23:53 John Helmert III
2021-06-26 19:59 Sergei Trofimovich
2021-04-12 19:39 Sergei Trofimovich
2021-02-28 23:24 Sergei Trofimovich
2020-12-12 23:53 Sergei Trofimovich
2020-12-12 8:33 Sergei Trofimovich
2020-12-10 15:03 Sergei Trofimovich
2020-10-21 20:55 Sergei Trofimovich
2020-09-08 7:33 Sergei Trofimovich
2020-04-24 19:59 Sergei Trofimovich
2020-04-16 22:16 Sergei Trofimovich
2019-05-21 3:53 Matthias Maier
2019-05-17 8:58 Matthias Maier
2019-05-17 7:43 Matthias Maier
2019-04-29 6:48 Matthias Maier
2019-02-19 0:19 Matthias Maier
2018-08-19 17:49 Matthias Maier
2018-06-15 14:10 Jason Donenfeld
2018-03-18 20:02 Matthias Maier
2017-11-12 20:22 Matthias Maier
2017-07-26 17:15 Matthias Maier
2017-05-18 4:20 Matthias Maier
2017-04-25 13:51 Matthias Maier
2017-03-27 4:03 Matthias Maier
2017-02-13 4:58 Matthias Maier
2016-12-29 18:47 Mike Frysinger
2016-11-12 17:29 Matthias Maier
2016-09-27 2:17 Matthias Maier
2016-09-09 5:23 Matthias Maier
2016-09-05 16:45 Matthias Maier
2016-09-05 5:30 Matthias Maier
2016-08-07 14:04 Luca Barbato
2016-06-07 3:02 Mike Frysinger
2016-05-17 4:41 Mike Frysinger
2016-04-23 20:30 Mike Frysinger
2016-03-23 5:25 Mike Frysinger
2015-12-15 5:55 Mike Frysinger
2015-12-08 3:17 Mike Frysinger
2015-11-23 0:41 Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1522165444.2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9.tamiko@gentoo \
--to=tamiko@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox