[libvirt] [PATCH 0/5] Override the permissions on /dev/sev when probing

Erik Skultety posted 5 patches 11 weeks ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cover.1548948096.git.eskultet@redhat.com
docs/drvqemu.html.in               |  2 +-
src/qemu/qemu.conf                 |  2 +-
src/qemu/qemu_capabilities.c       | 11 +++++++
src/qemu/qemu_cgroup.c             | 21 +++++++++++-
src/qemu/qemu_domain.c             | 24 ++++++++++++++
src/qemu/test_libvirtd_qemu.aug.in |  1 -
src/security/security_dac.c        | 51 ++++++++++++++++++++++++++++++
src/util/virutil.c                 | 31 ++++++++++++++++--
8 files changed, 137 insertions(+), 6 deletions(-)

[libvirt] [PATCH 0/5] Override the permissions on /dev/sev when probing

Posted by Erik Skultety 11 weeks ago
The problem with /dev/sev's default permissions (0600 root:root) is that we
can't make it more permissive at the moment otherwise we'd weaken the security
of SEV and potentially open the door for a DOS attack. Therefore, the
alternative approach is to set CAP_DAC_OVERRIDE capability for the probing QEMU
process (and *only* when probing) so that libvirt truly works with SEV. As a
necessary side job, this series also makes /dev/sev only available to machines
that need it, thus mitigating the possible attack surface even more.

Erik Skultety (5):
  qemu: conf: Remove /dev/sev from the default cgroup device acl list
  qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
  qemu: domain: Add /dev/sev into the domain mount namespace selectively
  security: dac: Relabel /dev/sev in the namespace
  qemu: caps: Use CAP_DAC_OVERRIDE for probing to avoid permission
    issues

 docs/drvqemu.html.in               |  2 +-
 src/qemu/qemu.conf                 |  2 +-
 src/qemu/qemu_capabilities.c       | 11 +++++++
 src/qemu/qemu_cgroup.c             | 21 +++++++++++-
 src/qemu/qemu_domain.c             | 24 ++++++++++++++
 src/qemu/test_libvirtd_qemu.aug.in |  1 -
 src/security/security_dac.c        | 51 ++++++++++++++++++++++++++++++
 src/util/virutil.c                 | 31 ++++++++++++++++--
 8 files changed, 137 insertions(+), 6 deletions(-)

--
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list