| 1 |
W dniu 2014-09-18 o 00:34, Anthony G. Basile pisze: |
| 2 |
> On 09/17/14 08:04, Marcin Miros³aw wrote: |
| 3 |
>> W dniu 16.09.2014 o 14:34, "Tóth Attila" pisze: |
| 4 |
>>> 2014.Szeptember 16.(K) 11:05 idõpontban Marcin Miros³aw ezt írta: |
| 5 |
>>>> A few days ago I boot KVM host with hardened kernel. After some time I |
| 6 |
>>>> noticed that usb passthrough from host to kvm guest doesn't work. |
| 7 |
>>>> Simply |
| 8 |
>>>> sayoing guest didn't seen any usb device. After switching kernel on |
| 9 |
>>>> host |
| 10 |
>>>> to gentoo-sources-{3.14.14,3.16.2} usb-passthrough works as I expect. I |
| 11 |
>>>> didn't any related information in logs. |
| 12 |
>>>> Does libvirt or grsec need special configuration to have such feature |
| 13 |
>>>> working? |
| 14 |
>>> |
| 15 |
>>> I don't use KVM or libvirt, but I would suggest to check out your grsec |
| 16 |
>>> logs for denials. |
| 17 |
>>> Also there is a new capability introduced not so long ago: |
| 18 |
>>> CAP_BLOCK_SUSPEND |
| 19 |
>>> Some daemons and executables may complain - but in my case were |
| 20 |
>>> functioning properly anyways. May be not related to your problem. |
| 21 |
>> |
| 22 |
>> Hi! |
| 23 |
>> I don't use RBAC nor in kernel.log nor in dmesg nor in libvirt log I |
| 24 |
>> didn't see any suspicious entries. |
| 25 |
>> Regards, |
| 26 |
>> Marcin |
| 27 |
>> |
| 28 |
|
| 29 |
Hi all! |
| 30 |
|
| 31 |
> Was there an earlier version of hardened-sources which *did* work? |
| 32 |
|
| 33 |
I don't know. When some time ago I was using hardened-sources on host I |
| 34 |
didn't use usb passthrough in that time. Later I stopped to use |
| 35 |
hardened-sources (kernel was unstable in such enviroment but I didn't |
| 36 |
report it) and started to use gentoo-sources. Some time later I started |
| 37 |
to use usb passtrough. |
| 38 |
|
| 39 |
> Also, trust the menu options under grsecurity in Kconfig where it says |
| 40 |
> virtualization etc etc. Some options are too strict for a virt |
| 41 |
> environment. Having said that, though, if usb is the only thing not |
| 42 |
> working, I suspect that maybe its some misconfiguration in the |
| 43 |
> host/client Kconfigs for kvm not related to hardened. |
| 44 |
|
| 45 |
I used .config from gentoo-sources->make oldconfig->changed options in |
| 46 |
grsec menu. Meseems I didn't change anything in kvm related options in |
| 47 |
kernel. |
| 48 |
|
| 49 |
Marcin |
Archives