| 1 |
commit: 2fc1bc6c7b1f41a3a7df74ce8e170996eb7e36d9 |
| 2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Mar 27 15:10:52 2018 +0000 |
| 4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Mar 27 15:44:04 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fc1bc6c |
| 7 |
|
| 8 |
app-emulation/qemu: add rule to fix permissions on /dev/vfio/vfio |
| 9 |
|
| 10 |
The device node /dev/vfio/vfio gets created on modprobing the vfio* |
| 11 |
modules. This happens in particular on demand when a qemu vm with PCI |
| 12 |
passthrough is started up. The default permissios for the freshly |
| 13 |
created device node is |
| 14 |
|
| 15 |
crw-rw-rw- 1 root root 10, 196 Mar 27 08:44 /dev/vfio/vfio |
| 16 |
|
| 17 |
This is terrible. |
| 18 |
|
| 19 |
This patch adds an udev rules and makes sure that the device node has rw |
| 20 |
permissions for user root, and group kvm (and no permissions for all). |
| 21 |
This fixes |
| 22 |
|
| 23 |
- startup when a qemu-kvm is started as non-root (provided the user is |
| 24 |
in group kvm, which is our current policy for accessing /dev/kvm, etc., |
| 25 |
anyway). |
| 26 |
|
| 27 |
- work around this security vulnerability, where /dev/vfio/vfio is |
| 28 |
created with world writable permissions upon modprobe. [1] |
| 29 |
|
| 30 |
Thanks to username234, Kash Pande, Ted Rodgers for discovery and patch! |
| 31 |
|
| 32 |
[1] Steps to reproduce: |
| 33 |
|
| 34 |
% ls -la /dev/vfio/vfio |
| 35 |
crw------- 1 root root 10, 196 Mar 27 15:40 /dev/vfio/vfio |
| 36 |
|
| 37 |
% modprobe vfio |
| 38 |
|
| 39 |
% ls -la /dev/vfio/vfio |
| 40 |
crw-rw-rw- 1 root root 10, 196 Mar 27 15:41 /dev/vfio/vfio |
| 41 |
|
| 42 |
[2] I cannot find an udev rule installed by libvirt/qemu/... that |
| 43 |
triggers these permissions. |
| 44 |
|
| 45 |
Bug: https://bugs.gentoo.org/651668 |
| 46 |
Package-Manager: Portage-2.3.24, Repoman-2.3.6 |
| 47 |
RepoMan-Options: --force |
| 48 |
|
| 49 |
app-emulation/qemu/files/65-vfio.rules | 2 ++ |
| 50 |
app-emulation/qemu/{qemu-2.11.1-r1.ebuild => qemu-2.11.1-r2.ebuild} | 1 + |
| 51 |
2 files changed, 3 insertions(+) |
| 52 |
|
| 53 |
diff --git a/app-emulation/qemu/files/65-vfio.rules b/app-emulation/qemu/files/65-vfio.rules |
| 54 |
new file mode 100644 |
| 55 |
index 00000000000..099b655683d |
| 56 |
--- /dev/null |
| 57 |
+++ b/app-emulation/qemu/files/65-vfio.rules |
| 58 |
@@ -0,0 +1,2 @@ |
| 59 |
+SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" |
| 60 |
+KERNEL=="vfio", OWNER="root", GROUP="kvm", MODE="0660" |
| 61 |
|
| 62 |
diff --git a/app-emulation/qemu/qemu-2.11.1-r1.ebuild b/app-emulation/qemu/qemu-2.11.1-r2.ebuild |
| 63 |
similarity index 99% |
| 64 |
rename from app-emulation/qemu/qemu-2.11.1-r1.ebuild |
| 65 |
rename to app-emulation/qemu/qemu-2.11.1-r2.ebuild |
| 66 |
index d0d85a2ac09..1eea347cd1d 100644 |
| 67 |
--- a/app-emulation/qemu/qemu-2.11.1-r1.ebuild |
| 68 |
+++ b/app-emulation/qemu/qemu-2.11.1-r2.ebuild |
| 69 |
@@ -679,6 +679,7 @@ src_install() { |
| 70 |
|
| 71 |
if use kernel_linux; then |
| 72 |
udev_newrules "${FILESDIR}"/65-kvm.rules-r1 65-kvm.rules |
| 73 |
+ udev_newrules "${FILESDIR}"/65-vfio.rules 65-vfio.rules |
| 74 |
fi |
| 75 |
|
| 76 |
if use python; then |
Archives