1 |
commit: 2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9 |
2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Mar 27 15:10:52 2018 +0000 |
4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Mar 27 15:44:04 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fc1bc6c |
7 |
|
8 |
app-emulation/qemu: add rule to fix permissions on /dev/vfio/vfio |
9 |
|
10 |
The device node /dev/vfio/vfio gets created on modprobing the vfio* |
11 |
modules. This happens in particular on demand when a qemu vm with PCI |
12 |
passthrough is started up. The default permissios for the freshly |
13 |
created device node is |
14 |
|
15 |
crw-rw-rw- 1 root root 10, 196 Mar 27 08:44 /dev/vfio/vfio |
16 |
|
17 |
This is terrible. |
18 |
|
19 |
This patch adds an udev rules and makes sure that the device node has rw |
20 |
permissions for user root, and group kvm (and no permissions for all). |
21 |
This fixes |
22 |
|
23 |
- startup when a qemu-kvm is started as non-root (provided the user is |
24 |
in group kvm, which is our current policy for accessing /dev/kvm, etc., |
25 |
anyway). |
26 |
|
27 |
- work around this security vulnerability, where /dev/vfio/vfio is |
28 |
created with world writable permissions upon modprobe. [1] |
29 |
|
30 |
Thanks to username234, Kash Pande, Ted Rodgers for discovery and patch! |
31 |
|
32 |
[1] Steps to reproduce: |
33 |
|
34 |
% ls -la /dev/vfio/vfio |
35 |
crw------- 1 root root 10, 196 Mar 27 15:40 /dev/vfio/vfio |
36 |
|
37 |
% modprobe vfio |
38 |
|
39 |
% ls -la /dev/vfio/vfio |
40 |
crw-rw-rw- 1 root root 10, 196 Mar 27 15:41 /dev/vfio/vfio |
41 |
|
42 |
[2] I cannot find an udev rule installed by libvirt/qemu/... that |
43 |
triggers these permissions. |
44 |
|
45 |
Bug: https://bugs.gentoo.org/651668 |
46 |
Package-Manager: Portage-2.3.24, Repoman-2.3.6 |
47 |
RepoMan-Options: --force |
48 |
|
49 |
app-emulation/qemu/files/65-vfio.rules | 2 ++ |
50 |
app-emulation/qemu/{qemu-2.11.1-r1.ebuild => qemu-2.11.1-r2.ebuild} | 1 + |
51 |
2 files changed, 3 insertions(+) |
52 |
|
53 |
diff --git a/app-emulation/qemu/files/65-vfio.rules b/app-emulation/qemu/files/65-vfio.rules |
54 |
new file mode 100644 |
55 |
index 00000000000..099b655683d |
56 |
--- /dev/null |
57 |
+++ b/app-emulation/qemu/files/65-vfio.rules |
58 |
@@ -0,0 +1,2 @@ |
59 |
+SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" |
60 |
+KERNEL=="vfio", OWNER="root", GROUP="kvm", MODE="0660" |
61 |
|
62 |
diff --git a/app-emulation/qemu/qemu-2.11.1-r1.ebuild b/app-emulation/qemu/qemu-2.11.1-r2.ebuild |
63 |
similarity index 99% |
64 |
rename from app-emulation/qemu/qemu-2.11.1-r1.ebuild |
65 |
rename to app-emulation/qemu/qemu-2.11.1-r2.ebuild |
66 |
index d0d85a2ac09..1eea347cd1d 100644 |
67 |
--- a/app-emulation/qemu/qemu-2.11.1-r1.ebuild |
68 |
+++ b/app-emulation/qemu/qemu-2.11.1-r2.ebuild |
69 |
@@ -679,6 +679,7 @@ src_install() { |
70 |
|
71 |
if use kernel_linux; then |
72 |
udev_newrules "${FILESDIR}"/65-kvm.rules-r1 65-kvm.rules |
73 |
+ udev_newrules "${FILESDIR}"/65-vfio.rules 65-vfio.rules |
74 |
fi |
75 |
|
76 |
if use python; then |