v2: Update API documentation for each patch
v3: Incorporate Sasha's comments: kobject path, separate func, and CONFIG_SYSFS
Two patches to try to better secure the device assignment ioctl.
This firt patch makes KVM_DEV_ASSIGN_ENABLE_IOMMU a mandatory
option when assigning a device. I don't believe we have any
users of this option, so I think we can skip any deprecation
period, especially since it's existence is rather dangerous.
The second patch introduces some file permission checking that Avi
suggested. If a user has been granted read/write permission to
the PCI sysfs BAR resource files, this is a good indication that
they have access to the device. We can't call sys_faccessat
directly (not exported), but the important bits are self contained
enough to include directly. This still works with sudo and libvirt
usage, the latter already grants qemu permission to these files.
Alex Williamson (2):
kvm: Device assignment permission checks
kvm: Remove ability to assign a device without iommu support
Documentation/virtual/kvm/api.txt | 7 +++
virt/kvm/assigned-dev.c | 90 +++++++++++++++++++++++++++++++++-
2 files changed, 88 insertions(+), 9 deletions(-)
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/