[gentoo-hardened] Problem with usb-passthrough using libvirt with hardened-sources-3.15.8

[gentoo-hardened] Problem with usb-passthrough using libvirt with hardened-sources-3.15.8

[Marcin Mirosław]

Hi!
A few days ago I boot KVM host with hardened kernel. After some time I
noticed that usb passthrough from host to kvm guest doesn't work. Simply
sayoing guest didn't seen any usb device. After switching kernel on host
to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
didn't any related information in logs.
Does libvirt or grsec need special configuration to have such feature
working?
Thanks,
Marcin

Re: [gentoo-hardened] Problem with usb-passthrough using libvirt with hardened-sources-3.15.8

["Tóth Attila"]

2014.Szeptember 16.(K) 11:05 időpontban Marcin Mirosław ezt írta:
> A few days ago I boot KVM host with hardened kernel. After some time I
> noticed that usb passthrough from host to kvm guest doesn't work. Simply
> sayoing guest didn't seen any usb device. After switching kernel on host
> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
> didn't any related information in logs.
> Does libvirt or grsec need special configuration to have such feature
> working?

I don't use KVM or libvirt, but I would suggest to check out your grsec
logs for denials.
Also there is a new capability introduced not so long ago:
CAP_BLOCK_SUSPEND
Some daemons and executables may complain - but in my case were
functioning properly anyways. May be not related to your problem.

BR: Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057


-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

Re: [gentoo-hardened] Problem with usb-passthrough using libvirt with hardened-sources-3.15.8

[Marcin Mirosław]

W dniu 16.09.2014 o 14:34, "Tóth Attila" pisze:
> 2014.Szeptember 16.(K) 11:05 időpontban Marcin Mirosław ezt írta:
>> A few days ago I boot KVM host with hardened kernel. After some time I
>> noticed that usb passthrough from host to kvm guest doesn't work. Simply
>> sayoing guest didn't seen any usb device. After switching kernel on host
>> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
>> didn't any related information in logs.
>> Does libvirt or grsec need special configuration to have such feature
>> working?
> 
> I don't use KVM or libvirt, but I would suggest to check out your grsec
> logs for denials.
> Also there is a new capability introduced not so long ago:
> CAP_BLOCK_SUSPEND
> Some daemons and executables may complain - but in my case were
> functioning properly anyways. May be not related to your problem.

Hi!
I don't use RBAC nor in kernel.log nor in dmesg nor in libvirt log I
didn't see any suspicious entries.
Regards,
Marcin

Re: [gentoo-hardened] Problem with usb-passthrough using libvirt with hardened-sources-3.15.8

[Anthony G. Basile]

On 09/17/14 08:04, Marcin Mirosław wrote:
> W dniu 16.09.2014 o 14:34, "Tóth Attila" pisze:
>> 2014.Szeptember 16.(K) 11:05 időpontban Marcin Mirosław ezt írta:
>>> A few days ago I boot KVM host with hardened kernel. After some time I
>>> noticed that usb passthrough from host to kvm guest doesn't work. Simply
>>> sayoing guest didn't seen any usb device. After switching kernel on host
>>> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
>>> didn't any related information in logs.
>>> Does libvirt or grsec need special configuration to have such feature
>>> working?
>>
>> I don't use KVM or libvirt, but I would suggest to check out your grsec
>> logs for denials.
>> Also there is a new capability introduced not so long ago:
>> CAP_BLOCK_SUSPEND
>> Some daemons and executables may complain - but in my case were
>> functioning properly anyways. May be not related to your problem.
>
> Hi!
> I don't use RBAC nor in kernel.log nor in dmesg nor in libvirt log I
> didn't see any suspicious entries.
> Regards,
> Marcin
>

Was there an earlier version of hardened-sources which *did* work?

Also, trust the menu options under grsecurity in Kconfig where it says 
virtualization etc etc.  Some options are too strict for a virt 
environment.  Having said that, though, if usb is the only thing not 
working, I suspect that maybe its some misconfiguration in the 
host/client Kconfigs for kvm not related to hardened.

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Re: [gentoo-hardened] Problem with usb-passthrough using libvirt with hardened-sources-3.15.8

[Marcin Mirosław]

W dniu 2014-09-18 o 00:34, Anthony G. Basile pisze:
> On 09/17/14 08:04, Marcin Mirosław wrote:
>> W dniu 16.09.2014 o 14:34, "Tóth Attila" pisze:
>>> 2014.Szeptember 16.(K) 11:05 időpontban Marcin Mirosław ezt írta:
>>>> A few days ago I boot KVM host with hardened kernel. After some time I
>>>> noticed that usb passthrough from host to kvm guest doesn't work.
>>>> Simply
>>>> sayoing guest didn't seen any usb device. After switching kernel on
>>>> host
>>>> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I
>>>> didn't any related information in logs.
>>>> Does libvirt or grsec need special configuration to have such feature
>>>> working?
>>>
>>> I don't use KVM or libvirt, but I would suggest to check out your grsec
>>> logs for denials.
>>> Also there is a new capability introduced not so long ago:
>>> CAP_BLOCK_SUSPEND
>>> Some daemons and executables may complain - but in my case were
>>> functioning properly anyways. May be not related to your problem.
>>
>> Hi!
>> I don't use RBAC nor in kernel.log nor in dmesg nor in libvirt log I
>> didn't see any suspicious entries.
>> Regards,
>> Marcin
>>

Hi all!

> Was there an earlier version of hardened-sources which *did* work?

I don't know. When some time ago I was using hardened-sources on host I
didn't use usb passthrough in that time. Later I stopped to use
hardened-sources (kernel was unstable in such enviroment but I didn't
report it) and started to use gentoo-sources. Some time later I started
to use usb passtrough.

> Also, trust the menu options under grsecurity in Kconfig where it says
> virtualization etc etc.  Some options are too strict for a virt
> environment.  Having said that, though, if usb is the only thing not
> working, I suspect that maybe its some misconfiguration in the
> host/client Kconfigs for kvm not related to hardened.

I used .config from gentoo-sources->make oldconfig->changed options in
grsec menu. Meseems I didn't change anything in kvm related options in
kernel.

Marcin