The problem with /dev/sev's default permissions (0600 root:root) is that we
can't make it more permissive at the moment otherwise we'd weaken the security
of SEV and potentially open the door for a DOS attack. Therefore, the
alternative approach is to set CAP_DAC_OVERRIDE capability for the probing QEMU
process (and *only* when probing) so that libvirt truly works with SEV. As a
necessary side job, this series also makes /dev/sev only available to machines
that need it, thus mitigating the possible attack surface even more.

Erik Skultety (5):
  qemu: conf: Remove /dev/sev from the default cgroup device acl list
  qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
  qemu: domain: Add /dev/sev into the domain mount namespace selectively
  security: dac: Relabel /dev/sev in the namespace
  qemu: caps: Use CAP_DAC_OVERRIDE for probing to avoid permission
    issues

 docs/drvqemu.html.in               |  2 +-
 src/qemu/qemu.conf                 |  2 +-
 src/qemu/qemu_capabilities.c       | 11 +++++++
 src/qemu/qemu_cgroup.c             | 21 +++++++++++-
 src/qemu/qemu_domain.c             | 24 ++++++++++++++
 src/qemu/test_libvirtd_qemu.aug.in |  1 -
 src/security/security_dac.c        | 51 ++++++++++++++++++++++++++++++
 src/util/virutil.c                 | 31 ++++++++++++++++--
 8 files changed, 137 insertions(+), 6 deletions(-)

--
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list